The reality of becoming a CISO may be a far cry from the hands-on technologist roles you’ve had in the past.

Let’s investigate some of the hard truths of becoming a CISO.

 

“You take the blue pill, the story ends, you wake up in your bed and head into your new CISO role with no foresight. You take the red pill, you stay in wonderland, and I show you how deep the CISO rabbit hole goes.” – Morpheus, probably.

 

The role of CISO is highly sought after by security technologists, with many considering it the pinnacle of a security technologist’s career.

 

However, the reality of being a CISO isn’t as glamorous as it is sometimes made out to be. Yes, the pay is generous (and it’s well and truly bountiful for CISOs in the USA), but that is remuneration for the sheer amount of brain-power that the role requires – brain-power that is far more than just technical.

 

So get your Neo trench coat on, it’s time to take the CISO pill.

 

The Textbook CISO Job Definition

When you look at CISO vacancies, you’re likely to see a job description like this:

  • Develop and embed high-level security strategy and ensure it is communicated and implemented throughout the organisation.
  • Communicate relevant information about security posture, preventative measures, risk profile, and remediation to C-Suite, and the Board of Directors.
  • Develop, implement, and manage the organisation’s cyber- and network risk management infrastructure to maintain a strong security posture.
  • Actively limit the chances of breach, fine, or successful cyber attack through risk management, strategy, tech investment, and culturally championing security throughout the organisation.
  • Continually improve upon the organisation’s security posture through continuous evaluation of existing security systems, adoption of new technologies, and Target Operating Models.
  • Liaise with high-level managers and C-Suite execs to ensure that security is embedded at a strategic, behavioural, and practical level.
  • Ensuring compliance with relevant legislation through a well-rounded risk-led security strategy with embedded GRC focus.
  • Oversee maintenance/set up of security reporting capabilities and alerting in line with security strategy.
  • Enact practical and proactive disaster recovery, business continuity, and data loss prevention strategies.
  • Supervise and direct any post-incident activities including remediation and investigation.

 

And in terms of the kind of individual they are looking for, job ads will usually list:

  • Extensive experience in senior management and IT security.
  • A thorough understanding of frameworks and legislation like ISO27001, UK GDPR, and Cyber Essentials, with experience of implementing them at scale.
  • Experience in managing often complex budgets and presenting sound reasoning for technical change.
  • Team management experience, including overseeing team growth and development.
  • A track record of implementing positive technical change and taking ownership of such projects.
  • Experience in liaising with senior management and other stakeholders across departments and hierarchy.
  • Demonstrated knowledge of secure and practical cyber/network defence and countermeasures.
  • CISSP or CISM qualifications tend to be somewhat expected, becoming “must haves” if the company provides tech or security services.

 

The Reality of the CISO Role

The very vanilla definition of the CISO role that you see on job advertisements may be technically correct, but it belies some of the more challenging realities of life in the role.

 

Being a CISO is certainly not for the faint of heart. Even though you may see a move up to the role as the next logical, hierarchical step on your career ladder, know that it can take real determination to make it as a CISO.

 

You Need to Speak Business, Tech, and Non-Tech Lingo

This is an essential skill for a CISO, yet one that often gets overlooked when advertising a role. CISOs often need to be adept communicators and speak three “languages”:

 

The language of business, budgets, and the boardroom,

Technical language and jargon to communicate accurately with tech teams,

Simplified, non-tech speak to explain potentially technical concepts to non-techy people.

 

 

Any good CISO will need to express their ideas fluently depending on who they’re talking to. This also means that you may have to effortlessly switch between these three “languages” on any given day.

 

For example, non-tech teams (including the board!) generally won’t understand tech speak; entry level staff and dyed-in-the-wool techies are less likely to understand highfalutin business lingo; yet tech teams will appreciate you using the most direct technical jargon when communicating tech information.

 

CISOs are Top Execs First and Security Pros Second

Though being a CISO is a highly technical role, this is another feature that often gets swept under the rug. The focus of being a CISO isn’t about being a technologist – it’s about being both a leader and a champion of security culture throughout an organisation.

 

It’s a far cry from the technical focus you may be used to – and often removed from the kinds of hands-on work you did to rise through the ranks. Becoming a CISO means you have to fluidly walk the walk and talk the talk of the other high-powered execs you’re rubbing shoulders with.

 

Naturally this involves dealing with the board and the C-Suite, but it can also include dealing with non-executive directors and regulators, particularly in financial services and infrastructure organisations.

 

A Cool Head is a Must-Have

A CISO isn’t your stereotypical cushy exec role – it requires an immensely cool composure – especially in a crisis (or numerous crises!).

 

Let’s start with the worst thing that can happen as a CISO: a data breach or cyber incident. In this situation, the CISO has no time to crumble under the pressure. They have to rally their troops to deal with the issue; have those thorny conversations with the other execs about what’s happening; keep their team plugging away until security is restored; and oversee essential post-breach investigations. All of which require immense integrity and composure.

 

Even on a normal day, CISOs need to manage their teams well, oversee technical (and sometimes cultural) change; maintain cybersecurity strategy; navigate the politics of the boardroom; uphold the organisation’s regulatory and legislative responsibilities; and make sound arguments and decisions around budget.

 

Being a CISO can be an incredibly rewarding – and well-compensated – role. However, it involves a lot of stress and requires a certain unflappability. That’s something the usual job description doesn’t really communicate.

 

The Boardroom is “The Room Where it Happens”

CISOs need to be able to dance the dance of high-powered business meetings and play the game of high-pressure business politics. It takes a fearless individual to strike up and navigate the often difficult conversations that sometimes need to be had about cybersecurity.

 

A quality CISO needs the spine to wade into thorny discussions with the board, and be prepared to present the cybersecurity status quo without sugar-coating anything or glossing over the less favourable bits. They need to be willing to argue their point with sound business and technical reasoning.

 

Alas, high-level execs generally hate surprises in the boardroom, yet cybersecurity is often a moving feast where uncertainty abounds.

 

The CISO job ad should probably include the line “Serial avoiders and/or ‘yes-people’ need not apply.”

 

Leadership is a Non-Negotiable Skill

Being a CISO isn’t just about maintaining strategies, budgets, and other examples of merely “moving bits of paper around”. It involves truly championing IT security as a cause throughout the organisation.

 

Managing cultural and behavioural change throughout a whole company is never going to be easy. Yet even something as simple as getting your organisation to adopt Multi-Factor Authentication every time they log in can be met with resentment and derision.

 

Sadly, people don’t like change. But as you likely well know, cybersecurity rarely stays still. You need to be able to advocate for the cause of information security across departments and seniority – even if that means you are sometimes seen as the bossy “bad guy” asking people to do new secure things that are totally alien to them.

 

But good CISOs ideally don’t just need to get people to do things more securely – they should be willing to help people understand why these changes are important and necessary.

 

This is no mean feat when you are dealing with particularly stubborn teams… like the C-Suite! Did you know that 76% of CEOs admitted to bypassing security to get things done faster? There’s a particularly contentious boardroom conversation topic to get you started!

 

Business Knowledge is as Important as Technical Knowledge

Being business-savvy – and preferably having lived experience in executive settings – is a must for the would-be CISO. Deliotte identified what it called the 4 faces of the CISO – “guardian and technologist” (the two that security folks are usually more au fait with), and “strategist and advisor” (the two that are desperately needed, yet harder to come by amongst techies).

 

In their role as a “strategist”, the CISO will be called upon to harmonise business and security strategies. They will possess deep business knowledge and fluently and contextually advise on all aspects of technical risk management. They will be expected to juggle security investments, budgets, and governance in line with business priorities.

 

The role of “advisor” stays abreast of new technologies – and emerging threats – and offers a strategic approach to minimise the chances of attack. They will also be expected to continuously improve strategy; build and use their political capital to progress cybersecurity posture; and align cybersecurity efforts with corporate risk appetite.

 

Get CISO-Ready: Advice from Real-Life CISOs

If you think you have what it takes in light of these realities, you’d fit right in as a CISO. Here are a few extra pointers to help you get CISO-ready.

 

Getting into the CISO-Zone

  • Take advice from a mentor or trusted person in your network who presents to the board and ideally who has presented to the board you will be in front of.
  • If you are a deputy CISO or you have a good relationship with your CISO, ask to accompany them to board meetings to get a feel for it. It’s more than just a meeting – it can be quite nerve-wracking! Preparing yourself for boardroom life can help you steel yourself for a CISO role.
  • If your strengths are strictly technical, balance this out with business skills. Some CISOs have even gone so far as to start MBAs to get up to speed with the level of business knowledge required – an approach that I personally recommend!
  • Know your limitations before you bite off more than you can chew. Just because you are the Head of SOC at a Tier 1 Investment Bank, it doesn’t necessarily mean you are ready to be CISO at the same organisation. Be prepared to take a CISO position at a smaller organisation to learn the ropes in a more forgiving environment.
  • Assess your qualifications – CISSP/CISM may soon become a minimum requirement for many CISO vacancies.

 

That Dreaded Boardroom!

  • Unless it’s an emergency, don’t approach the board for a decision without mapping out at least one ideal solution – but ideally three…
  • Provide the board with 3 possible options for any decision and steer the board towards your favourite. (Ah, the illusion of choice!).
  • Know that the board hates surprises. Don’t surprise them with crucial problems during meetings – keep them in the loop beforehand.
  • Don’t bend the truth or bury uncomfortable information in bluff and/or fluff. The board just wants to know things straight and can often sense dishonesty a mile away. Be just as direct with them as they are with you!
  • Being at C-Suite level is much more political than you may realise. If you can’t handle office politics, know that C-Suite politics are on a whole other level!

 

Key Boardroom Questions You Need to Be Able to Answer

  • How do you align your proposed security strategy with our business strategy?
  • Are we 100% secure? If not, what percentage are we at and why are we putting up with that shortfall?
  • How strong is our security posture?
  • Given our current defences and posture, what is the worst possible scenario following a breach?
  • What plans are in place to protect us from a data breach or cyber attack? Why are those our best plans?
  • How will [insert external factor here] affect our security posture? (This can be as minor as seasonal industry flux or as serious as a pandemic or warfare.)
  • How do/can we measure the effectiveness of controls? How do we know they’re working?
  • Are we spending enough/too much?
  • Why are we over/under-spending?

 

All in all, being a CISO is hard work, and often involves much more than the job descriptions let on! But if you still feel calm and collected in the face of these hard truths about the CISO life, you may well have what it takes.

 

So let’s talk about your next move. We have 15 years’ experience in placing some of the security world’s brightest minds. Ready to advance? Get in touch today.

Recruitment vs. Reality: What You Need to Know Before Becoming a CISO

Back to Publications

More Publications

5 Top Senior Cybersecurity Jobs in Highest Demand in the UK [2022]

Read more

The Cybersecurity Space Race: Interview with Samuel Visner MITRE Tech Fellow and Vice Chair, Board of Directors, Space Information Sharing and Analysis Center

Read more

CISO: Unplugged – resilience engineering to building resilient teams

Read more