The CISO role has evolved in recent years. CISO’s don’t come just from technical and security backgrounds anymore. Each organization has their own distinct vision for how to solve their security needs whether they are customer, regulatory, or industry driven.
I started out my career as an external auditor, with the goal of becoming a CFO. I later took a job on a security team that utilized my compensating skills performing risk and control gap assessments and providing consulting across the company’s departments.
After that, I transitioned to a company that needed expertise in technical privacy and GDPR, which steered me toward the CISO role here at Devo. Turns out, a compliance background is a great fit for security. Privacy, risk, and reporting are such mission-critical functions–they weave their way into every security decision a company makes.
But other backgrounds can produce effective, high-quality CISOs who contribute to more diversity of thought and, in turn, better business outcomes. People who’ve held down jobs in customer service, law enforcement, the military, business operations, and security research (to name a few) all have the type of skill sets and training that organizations need to lead security in the 2020s. I, for one, am counting on it. I’ve recently changed the job descriptions for people I hire to ensure we’re getting that next generation of security experts and future CISOs with diverse backgrounds.
Let’s look at some of these backgrounds and the skills they bring to the CISO role:
Customer service: Extroverts who have mastered the art of upselling in a restaurant, for example, have the patience and the people skills to manage a complex array of stakeholders. Getting the board, the security champions, and the “resistors” to agree on a vision is their specialty.
Law enforcement and the military: Professionals from these fields are doing well as CISOs. They tend to operate in a black-and-white fashion – no room for gray in the middle. If you’re trying to create or realign a security culture, one of these so-called “enforcer CISOs” can get it done.
Business operations: CISOs from business operations may not know every last security protocol, but these people are terrific at tactical plans. They can speak the business language and partner with security specialists to guide a strategy.
Executives: So-called “executive CISOs” understand the business and can manage people. They’re less focused on technology and the strategic aspects of securing operations than they are on making deals and advancing the business. These executives have a business background but didn’t work in security. They delegate extensively and approach the job as a series of tasks to be solved.
Visionaries: Security researchers who are intellectually curious problem solvers have the drive and the aptitude to create a CISO’s vision and get people to buy in. They communicate well cross-functionally across teams. They’re especially good at assessing the strength of a security organization, proposing out-of-the-box solutions, and moving quickly to get them implemented.
“Compliance CISOs”: Executives like me bring the mentality of an auditor to specific tasks and to the job as a whole. If there’s a potential “data spill,” for instance, my nature is to get on a call and determine what’s happening. If it could be a misconfiguration, what is the process around this configuration? What team is involved? When did it happen? I look at the risks, the controls, and processes that lead up to a misconfiguration.
Fact is, you’re never going to find a CISO who is an expert in every part of the job. Security is a multi-faceted function that demands deep broad knowledge in so many areas. If you don’t have deep expertise in coding, access management, business operations or cloud security, surround yourself with people who do. Then use your own set of skills to lead your team by strategizing and working towards meeting corporate objectives.
If I realize I’m not strong in a particular area, I reach out for help whether it is in my team or another functional department. If I tried to know everything, that could be a problem.
Unlike in past years, there’s no one path to the CISO function. That’s not going to change. Each company is going to find its own way and develop its own style. Hiring a CISO with the background and skill set best suited for the company is the surest way to success. And being able to pivot as the company evolves over time is crucial to that.
If you’re a security leader looking to improve your SOC operations with elements such as automation, read Four Elements Security Leaders Must Consider When Building an Autonomous SOC.
Frequently Asked Questions
Define Specific Requirements: Organizations should start by clearly defining the skills and attributes they need in a CISO beyond traditional technical expertise. This includes leadership abilities, strategic thinking, risk management, and the ability to communicate effectively with various stakeholders.
Broaden Search Channels: Use diverse recruitment channels such as specialized job boards, industry conferences, networking events, and professional groups that focus on different backgrounds including customer service, law enforcement, military, business operations, and compliance.
Use Inclusive Job Descriptions: Craft job descriptions that highlight the value of diverse experiences and explicitly state that non-traditional backgrounds are welcomed. Emphasize soft skills and leadership qualities alongside technical competencies.
Leverage Referrals and Networking: Encourage employees to refer candidates from a variety of professional networks. Networking with professionals in sectors like law enforcement, military, and business operations can also yield promising candidates.
Conduct Behavioral Interviews: Focus interviews on behavioral questions that reveal candidates’ problem-solving abilities, leadership style, and adaptability. Scenarios and case studies that require strategic thinking and cross-functional collaboration can provide insights into their suitability.
Build a Strong Team: Surround yourself with technical experts in areas such as coding, access management, cloud security, and threat detection. Delegating technical tasks to these specialists enables the CISO to focus on strategic leadership.
Continuous Learning: Commit to ongoing education in cybersecurity. This can include obtaining certifications (such as CISSP, CISM), attending workshops, and participating in industry forums to stay updated with the latest trends and technologies.
Foster Collaboration: Create an environment where team members feel empowered to share their expertise and insights. Regularly hold cross-functional meetings to discuss security issues, strategies, and innovations.
Align Security with Business Goals: Focus on how security initiatives support broader business objectives. Communicate this alignment to top management to gain their support and resources, ensuring that security is seen as a business enabler rather than a cost center.
Example 1: Former Auditor to CISO: Auditors can transition to a CISO role by leveraging their skills in risk assessment, compliance, and control gap analysis.
Example 2: Military Officer to CISO: Military officers bring a disciplined, black-and-white approach to the role of CISO. Their experience in command and control operations help establish a strong security culture and clear policies within the organization.
Example 3: Business Operations Manager to CISO: Business operations managers’ expertise in tactical planning and business strategy enabled them to communicate effectively with both technical teams and executive leadership, bridging the gap between business objectives and security measures.