Chief Information Security Officers are some of the newest professionals at the top of the corporate ladder. Our increasing reliance on computer technology has resulted in an equal increase in outside threats from hackers, corporate spies, and other ne'er-do-wells. Thus, those who are capable of protecting a firm's computer systems from outside attacks are in high demand. They also garner top pay for their expertise and long hours. This page is all about CISOs, including how to become one, what is required in the job, and more.
CISO vs. CIO or CSO
Though their job titles sound similar, a Chief Information Security Officer has a very different job from both a Chief Information Officer and a Chief Security Officer. That is because the CISO is primarily concerned with the security of the firm's information. A CIO, on the other hand, is more concerned with constructing the hardware and software infrastructure to handle the firm's data under ordinary circumstances and a CSO has broader concerns than the data itself.
While the three types of professional will certainly overlap in terms of their concerns, they each have distinct duties. However, smaller firms may attempt to combine duties under a single job description. While sometimes successful, these firms often need to employ outside consultants for specific matters of information security.
The job title Chief Information Security Officer is not easily attained. It usually comes after many years in the trenches of cyber security and information technology. This is a c-level position which means that when you reach this position, you'll be sitting in the corporate suites, in an office with a view. If this is a goal of yours, it's important to prepare a road-map for your success.
First, you'll want to complete a baccalaureate degree in information technology or computer science. Since your focus is security, it's wise to fill your undergraduate transcripts with as many security-related courses as possible.
After graduation, you should start seeking certifications. Cisco, Microsoft, and others offer certificates in information security and related issues, such as database management. Find the best certificate program for you and maintain your knowledge through continuing education. Along the way, you should seek positions that offer the best experience and challenges to make you the best security officer possible.
After approximately ten years of experience, you should consider an MBA. To reach the c-suites you'll need a master's level of leadership and administration skill. Not only will the academic credentials help open the c-suite doors but the knowledge and insights you gain will make you highly effective. Further, many MBAs offer concentrations in IT, including security-focused coursework and degrees.
What are Their Responsibilities, Common Duties, and Tasks?
As a CISO, you will bear a lot of responsibility. After all, modern success depends on a firm's information systems. The position thus has countless duties and tasks, but a few stand out. First, you'll need to develop security protocols and programs. This might sound simplistic, but often success is based on fundamental skills, not extraordinary events.
Those protocols should be developed and disseminated throughout the firm. Your leadership skills will be needed to instill the importance of every protocol in the mind of every network administrator and end-user in the system. Thus, you must also be a phenomenal manager. You’ll need to be current with the latest trends in information security and be able to lead your team to stay ahead of those trends. Once security protocols are established in the security community, hackers have already started working to find a way around them. Thus, you should keep yourself and your staff trained and ready.
You should also communicate with both your security team and the wider firm on a regular basis. For instance, end users need to be prompted to update passwords and other security protocols and staff, such as database administrators, need to ensure that all permissions are updated.
How to Become a CISO
To become a CISO, you need to start your career with a degree that prepares you for success. Undergraduate degrees tend to be rather general, but you could choose to major in computer science or information technology and focus on security issues. Some programs may be emerging that are exclusively focused on information security, but those are still somewhat rare. Strive to instill the core skills you'll need including knowledge of hardware, programming, database management, and networking. Once you have those fundamentals, you can launch into the job market.
You should work toward a position on a team that focuses on information security. You will learn a lot on the job and there is no substitute for experience and finding real-world solutions to real-world problems. To build on your knowledge and to bolster your resume, you'll want to attain certificates in information security. You might seek software-specific degrees from companies such as Cisco, but there are also others available. Consult your manager to see which are best to pursue.
After you have significant experience in the field and at least one current certificate, you should think about returning to school. It's nearly impossible to reach the c-suites without an MBA or some other graduate degree. Since the CISO position is so heavily focused on administration and management, you will be well-served by an MBA. There are even programs that offer a focus in cybersecurity, IT, or information security.
Typical Requirements for Employer Hiring
When employers seek someone for their CISO position, they often have very high standards for whom they interview, much less hire. To even get a foot in the door, your resume should include stellar academic and professional credentials. You will need to first have an undergraduate degree from a fully accredited university. Your undergraduate degree should ideally be in information technology, computer science, or database administration. Other related degrees will be suitable, provided that your experience demonstrates expertise.
Your job record should reflect a steady increase in responsibilities and salary. Along with your job history, you should show that you've also remained current with security issues by attaining certificates or attending professional development seminars. You might also continue your education with coursework from local, or online, colleges. Regardless, you must show that you are dedicated to your profession and that you are a lifelong learner in your field.
Keep in mind that you must be able to express your knowledge and experience to others. After all, if you intend to be a top-level executive you must be able to lead your team and instruct the rest of the firm on security protocols. Thus, you can augment your technical coursework and skills with communication skills. Courses in technical writing and even public speaking will impress a recruiter.
Finally, you will need to complete an MBA from the very best program you can find. It is nearly impossible to land a position in the c-suites without an MBA. The credential itself is impressive, but the skills and knowledge it represents will be invaluable in your job as a CISO. There are MBA programs that focus on information security, so prioritize those when you are filling out applications. You might already have top-level mastery of information security, but you will receive a great benefit from taking the other leadership and business courses.
On top of the technical acumen you'll need to thrive as a CISO, you'll also need other soft skills to truly succeed. The first and perhaps most important of these skills is communication. It is vital to express best security practices to the rest of your firm. Thus, seek to develop and maintain your written and verbal communication skills. Don't forget that a key part of communication is listening.
Along with communication, you'll need to know how to build relationships and then be able to demonstrate that on a resume or in an interview. This is because you'll need to forge alliances not only inside your firm but also with vendors and outside consultants, as well.
Salary is one of the top considerations for any job seeker, and the pay for CISOs is quite handsome. Since you'll be in the corporate suites, you can expect at least a six-figure salary. The Bureau of Labor Statistics (BLS) shows that top executives earned a median salary of $104,960 in 2018. This figure could be considered somewhat low, as it does not include items such as bonus pay and benefit packages. Meanwhile, the BLS shows the median salary for information security analysts, a junior position, is just over $98,000. In fact, Payscale.com shows that average pay for a CISO is over $150,000. Your pay might also vary based on a number of factors including your geographical location, the market cap of your firm, and variable economic conditions.
Outlook and Jobs
The outlook for CISO jobs is quite strong these days. There is an increasing emphasis on cyber security and this particular career may soon be in high demand. Firms increasingly rely on their databases in order to run their businesses. Thus, that information needs to be protected from hackers who have been known to hold information hostage, or worse.
The Bureau of Labor Statistics currently shows that the demand for information security analysts is slated to grow by 32% by 2028. Given that average growth is somewhere in the 6-9% range, this is a phenomenal projection. Keep in mind that analysts are in a junior position to their superiors in the c-suites. However, if you are just starting out, this means that you will have ample opportunities to get a foothold in the profession. The BLS doesn't track the outlook for CISOs, but they do show that top executives are slated to grow at a rate considered average for all job titles.
There are also lots of opportunities for entrepreneurs and consultants who can help smaller businesses with their information security needs.
Along the way, you're bound to see similar positions available such as Chief Security Officer, Information Security Officer, and the like. These jobs carry similar salaries to that of a CISO, but each has its own focus. A CSO, for instance, could be focused on the overall security of a firm's network. Their purview can even include the firm's physical security. A CSO might spend more time monitoring security cameras and physical locking mechanisms on doors. An Information Security Officer, on the other hand, is more likely to be under a CISO. Thus, you might work your way up from an ISO to a CISO.