“You take the blue pill, the story ends, you wake up in your bed and head into your new CISO role with no foresight. You take the red pill, you stay in wonderland, and I show you how deep the CISO rabbit hole goes.” – Morpheus, probably.
The role of CISO is highly sought after by security technologists, with many considering it the pinnacle of a security technologist’s career.
However, the reality of being a CISO isn’t as glamorous as it is sometimes made out to be. Yes, the pay is generous (and it’s well and truly bountiful for CISOs in the USA), but that is remuneration for the sheer amount of brain-power that the role requires – brain-power that is far more than just technical.
So get your Neo trench coat on, it’s time to take the CISO pill.
When you look at CISO vacancies, you’re likely to see a job description like this:
And in terms of the kind of individual they are looking for, job ads will usually list:
The very vanilla definition of the CISO role that you see on job advertisements may be technically correct, but it belies some of the more challenging realities of life in the role.
Being a CISO is certainly not for the faint of heart. Even though you may see a move up to the role as the next logical, hierarchical step on your career ladder, know that it can take real determination to make it as a CISO.
This is an essential skill for a CISO, yet one that often gets overlooked when advertising a role. CISOs often need to be adept communicators and speak three “languages”:
The language of business, budgets, and the boardroom,
Technical language and jargon to communicate accurately with tech teams,
Simplified, non-tech speak to explain potentially technical concepts to non-techy people.
Any good CISO will need to express their ideas fluently depending on who they’re talking to. This also means that you may have to effortlessly switch between these three “languages” on any given day.
For example, non-tech teams (including the board!) generally won’t understand tech speak; entry level staff and dyed-in-the-wool techies are less likely to understand highfalutin business lingo; yet tech teams will appreciate you using the most direct technical jargon when communicating tech information.
Though being a CISO is a highly technical role, this is another feature that often gets swept under the rug. The focus of being a CISO isn’t about being a technologist – it’s about being both a leader and a champion of security culture throughout an organisation.
It’s a far cry from the technical focus you may be used to – and often removed from the kinds of hands-on work you did to rise through the ranks. Becoming a CISO means you have to fluidly walk the walk and talk the talk of the other high-powered execs you’re rubbing shoulders with.
Naturally this involves dealing with the board and the C-Suite, but it can also include dealing with non-executive directors and regulators, particularly in financial services and infrastructure organisations.
A CISO isn’t your stereotypical cushy exec role – it requires an immensely cool composure – especially in a crisis (or numerous crises!).
Let’s start with the worst thing that can happen as a CISO: a data breach or cyber incident. In this situation, the CISO has no time to crumble under the pressure. They have to rally their troops to deal with the issue; have those thorny conversations with the other execs about what’s happening; keep their team plugging away until security is restored; and oversee essential post-breach investigations. All of which require immense integrity and composure.
Even on a normal day, CISOs need to manage their teams well, oversee technical (and sometimes cultural) change; maintain cybersecurity strategy; navigate the politics of the boardroom; uphold the organisation’s regulatory and legislative responsibilities; and make sound arguments and decisions around budget.
Being a CISO can be an incredibly rewarding – and well-compensated – role. However, it involves a lot of stress and requires a certain unflappability. That’s something the usual job description doesn’t really communicate.
CISOs need to be able to dance the dance of high-powered business meetings and play the game of high-pressure business politics. It takes a fearless individual to strike up and navigate the often difficult conversations that sometimes need to be had about cybersecurity.
A quality CISO needs the spine to wade into thorny discussions with the board, and be prepared to present the cybersecurity status quo without sugar-coating anything or glossing over the less favourable bits. They need to be willing to argue their point with sound business and technical reasoning.
Alas, high-level execs generally hate surprises in the boardroom, yet cybersecurity is often a moving feast where uncertainty abounds.
The CISO job ad should probably include the line “Serial avoiders and/or ‘yes-people’ need not apply.”
Being a CISO isn’t just about maintaining strategies, budgets, and other examples of merely “moving bits of paper around”. It involves truly championing IT security as a cause throughout the organisation.
Managing cultural and behavioural change throughout a whole company is never going to be easy. Yet even something as simple as getting your organisation to adopt Multi-Factor Authentication every time they log in can be met with resentment and derision.
Sadly, people don’t like change. But as you likely well know, cybersecurity rarely stays still. You need to be able to advocate for the cause of information security across departments and seniority – even if that means you are sometimes seen as the bossy “bad guy” asking people to do new secure things that are totally alien to them.
But good CISOs ideally don’t just need to get people to do things more securely – they should be willing to help people understand why these changes are important and necessary.
This is no mean feat when you are dealing with particularly stubborn teams… like the C-Suite! Did you know that 76% of CEOs admitted to bypassing security to get things done faster? There’s a particularly contentious boardroom conversation topic to get you started!
Being business-savvy – and preferably having lived experience in executive settings – is a must for the would-be CISO. Deliotte identified what it called the 4 faces of the CISO
– “guardian and technologist” (the two that security folks are usually more au fait with), and “strategist and advisor” (the two that are desperately needed, yet harder to come by amongst techies).
In their role as a “strategist”, the CISO will be called upon to harmonise business and security strategies. They will possess deep business knowledge and fluently and contextually advise on all aspects of technical risk management. They will be expected to juggle security investments, budgets, and governance in line with business priorities.
The role of “advisor” stays abreast of new technologies – and emerging threats – and offers a strategic approach to minimise the chances of attack. They will also be expected to continuously improve strategy; build and use their political capital to progress cybersecurity posture; and align cybersecurity efforts with corporate risk appetite.
If you think you have what it takes in light of these realities, you’d fit right in as a CISO. Here are a few extra pointers to help you get CISO-ready.
Getting into the CISO-Zone
That Dreaded Boardroom!
Key Boardroom Questions You Need to Be Able to Answer
All in all, being a CISO is hard work, and often involves much more than the job descriptions let on! But if you still feel calm and collected in the face of these hard truths about the CISO life, you may well have what it takes.
So let’s talk about your next move. We have 15 years’ experience in placing some of the security world’s brightest minds.