It’s good to have goals.
Even if you’re just starting your cybersecurity career, you may already be thinking about the top job in the field, Chief Information Security Officer. And it’s not too early to start — for example, with Springboard’s cybersecurity bootcamp that guarantees you a career in cybersecurity or your tuition back. If your ultimate goal is the CISO chair, there’s several steps you need to follow to get there, and it’s smart to keep your eyes open for those opportunities along the way.
Remesh Ramachandran, a security researcher and consultant for the government, spells it out in a Medium post.
“The possible career path which is taken by the individuals to become a CISO include starting the career as a programmer or analyst, study to become a security analyst, get more certifications and training, supervise a Security team, obtain an MBA degree in the Information security field and then get promoted as Chief Information Security Officer.”
Let’s look at these steps.
- Put in the time
Becoming a CISO is not something you’re going to be able to do right away. Companies expect CISOs to have several years of experience under their belt first, in progressively more responsible roles.
“A CISO must have spent years in the field of information security with a strong technical foundation,” Ramachandran writes. “It is not possible to get a CISO status unless you have extensive field experience. 6–12 years of work experience with at least five years in a management role is required for a CISO role.”
- Get the certifications
You may have gotten your foot in the door with the CompTIA Security+ or Certified Ethical Hacker certification. But if you want the top job, you’re not done. Fortunately, there are certification courses and exams for every step along the way.
Examples Ramachandran cites include:
- CISSP: Certified Information Systems Security Professional
- CCISO: Certified Chief Information Security Officer
- CISM: Certified Information Security Manager
- CEH: Certified Ethical Hacker
- OSCP: Offensive Security Certified Professional
- CISA: Certified Information Systems Auditor
- GSLC: GIAC Security Leadership
- CGEIT: Certified in the Governance of Enterprise IT
- Get the degree
Chances are, if you want to become a CISO, you’re going to need a college degree – perhaps even more than one. “A CISO must possess a minimum of a Bachelor’s degree,” Ramachandran writes, typically in computer science, cybersecurity, or business. A Master’s degree, either in IT security or an MBA – or both! – might also be required, he adds.
And even after the degrees and certifications, you’re not done, notes Cybersecurity Guide. You need to keep up on the latest trends, both defensively and offensively. “It is vital to remain current with what is happening in the industry. Keeping skills and knowledge up to date with the latest trends is even more critical for CISOs as they are charged with deciding how the entirety of any company’s varied infosec resources will be deployed now and in the future.”
- Pick up the soft skills
As a C-level executive, the CISO needs to interact with other C-level executives in terms they can understand. That means learning to speak the language of business and presenting cybersecurity threats and vulnerabilities in business terms – dollars and cents – without getting too down in the weeds on the technical details.
“The most important step you can take to prepare yourself for an executive-level role is to learn to think like a businessperson,” writes Abbas Kudrati, chief security advisor for Microsoft. “Who are your customers? What are the big opportunities and challenges in your industry? What makes your company unique? What are its weaknesses? What business strategies drive your organization?”
The best way to do this? Learn to tell stories.
“People will ignore what you say when you’re only speaking technical,” James Stanger, chief technology evangelist at CompTIA, told CSO Online. “Your career doesn’t advance and then you have to deal with the downstream issues that you’re causing because no one is listening to you.”
So, how do you get those skills? Look for opportunities where you need to present information to a variety of different audiences, either in writing or through public speaking.
- Network
That’s networking between people, not between machines. It’s important to talk to other people in the field, not just to gain information but to become known as an expert.
“Get involved in the industry: The saying goes that ‘it’s not what you know, it’s who you know’. In this case, it’s both,” writes Jason Hicks, Global CISO at Kudelski Security, in Infosecurity Magazine. “Building your network and becoming known in the security industry is a great way to open opportunities for yourself and learn from the people that have gone through the same experience.”
Here are some ways you can do that:
- Look for webinars on cybersecurity topics, not just to learn but to learn who the players are so you can contact them later
- Look for opportunities to participate in industry webinars yourself, and make sure to provide your contact information
- Join cybersecurity organizations, particularly ones geared toward CISOs
If you’re looking to get started on building towards being a CISO, look no further than Springboard’s