As the frequency and sophistication of cyber attacks continue to rise, the need for skilled security professionals and talented Chief Information Security Officers (CISO) become more clear. Today, 60.8% of enterprises have a CISO, and this role has become so strategic to organizational success that the CISO reports directly to the CEO at 32% of companies. Becoming a CISO is complicated, and often unpredictable. There is no single recipe.

However, there are some common paths people take to this position. CISOs possess a different mentality towards security than most practitioners. They not only protect corporate data, but they also manage individuals and develop comprehensive and holistic risk management and security policies and controls that meet business goals. Today’s CISO spends as much time in executive meetings discussing sales, finance, and operations as they do in their corporate security operations center.

Understanding organizational risk and effectively implementing the technology, people, and processes to mitigate it are two significant job roles of today’s CISO.

Michael Roling, CISO, State of Missouri

The Definitive Guide to Office 365 Security

Learn the best practices on how to deploy Office 365, tips to making the most of its security capabilities, and security considerations to meet your data security, compliance and governance requirements.

Download Now

CISOs understand how to convey executive-level security information to the organization while also delivering a combination of technical knowledge and leadership competency. They possess superior business intelligence and technical brilliance.

Consistently measure and communicate security in laymen’s terms (boil it down) so that everyone can understand it.

George Do, CISO, Equinix

Education, certifications, and experience

Becoming a CISO is a marathon. It usually starts with an undergraduate degree that focuses in the field of computer science or information technology. Armed with a bachelor’s degree, there are couple options to consider: 1) get a job as a general IT specialist and gain experience or 2) start by getting an IT security certification. Most aspiring CISOs augment their certifications with a Masters in Business Administration degree down the road. As one of the most sought after degrees, an MBA further validates one’s executive capabilities. Regardless of which path is taken, security certifications are almost always a must.

Stay in-tune with the business side of your organization as it will help you understand their processes and the direction they’re headed. Being in the CISO role or other C-level positions requires strong forecasting and planning that can only come from knowing where you’re organization is headed.

Michael Roling, CISO, State of Missouri

There are several certifications that one can get on the path to becoming a CISO, such as CISA certification and understanding IT audit, CFE fraud examination, and OCSP offensive security. Below are two of the most important certifications available.

These two certifications are the most recognized worldwide. The exams for them are fairly difficult, requiring a breadth of knowledge gained from years of cybersecurity experience.

Why certify?

According to a recent Cloud Security Alliance (CSA) survey report, the biggest barrier to effectively detecting and stopping data loss in the cloud is a lack of skilled security professionals to maximize full value of new technologies. The cybersecurity job market has never looked hotter, and certified security professionals also earn more than their non-certified counterparts.

Benefits of CISSP:

  • Validates the security aptitude grown from a combination of experience and scholastic
  • Proves in depth expertise in building a security stack that meets global standards
  • Provides a separation from other security professionals seeking competing job openings
  • Confirms the obligation to continually self-educate and maintain up-to-date knowledge of latest trends and best practices

CISPP certified professionals can:

  • Provide continuous protection against cyberattacks
  • Offer up-to-date expertise on known and emerging risks, technologies, standards and best practices
  • Build a common language around cybersecurity, avoiding uncertainty around accepted terms and practices
  • Legitimize organization’s cybersecurity capabilities in the eyes of clients and partners

Benefits of CISM:

  • Confirms that the certified professional understands how and where information security meets broader business goals
  • Proves that the professional possesses both the managerial skills needed to build security programs and technical expertise required to execute them
  • Opens up networking opportunities among skilled security professionals
  • Ensures steady personal growth and career advancement expected at large enterprises

CISM certified professionals can:

  • Address security issues by designing and manage programs at a conceptual level
  • Convey trustworthiness to the company of employment
  • Maintain a big picture view by evaluating, crafting and overseeing the company’s IT security
  • Align the company’s business goals with security practices

Consistently measure and communicate security in laymen’s terms (boil it down) so that everyone can understand it.

George Do, CISO, Equinix

CISSP vs CISM?

In many ways, CISM certification can be considered a natural progression after one’s been CISSP certified. You’re not required to get them both, but they complement each other, and can accelerate the path towards becoming a CISO.

CISSP is for the tactical practitioners of cybersecurity. It tests in-depth technical knowledge of day-to-day security tasks including security and risk management, security engineering, network security, identity and access security, and application development security among other things.

CISM is a certification that puts greater weight on creating and managing security programs. CISM-certified professionals tend to maintain a high-level view of IT security, and work towards aligning the company’s business goals with the security systems needed to support those goals. CISM certification focuses on risk management, and is meant for management-level professionals who want to continue their managerial career development in the field of cybersecurity.

Regardless of which certifications are acquired, a CISO’s most important qualifier is usually the experience they bring to the organization. CISOs are required to be forward looking, make forecasts, develop teams, acquire budget and stay within that budget. These skills are usually built over time. As they develop their security skills, they must also improve their communication, organization, and leadership skills.

Most aspiring CISOs augment their certifications with a Masters in Business Administration degree. As one of the most sought after degree, an MBA is a versatile degree that further validates one’s executive capabilities.