AS DATA BREACHES SOAR, SO DO CISOS’ PAYCHECKS
In recent years, the role of the chief information security officer has catapulted into executive committees and boardrooms, spurred by a relentless surge in crippling cyber-attacks orchestrated by well-resourced and resolute threat actors. Predictably, as cyber threats soar, so do CISOs’ salaries. According to Cybersecurity Ventures, CISOs’ bank accounts will continue to fatten, with more organizations likely to move the needle to the US$500,000 to US$1 million range over the next five years. A smaller subset of distinguished CISOs already command total annual compensation packages in excess of US$2million.
These mouth-watering numbers, combined with access to the board and lifetime opportunities to build fully-fledged cybersecurity functions from scratch, are enticing experienced cyber professionals to aim for the coveted chief information security officer role. So if you find yourself asking, how do I become a CISO, read on.
Despite the rising appetite, very little clear-cut guidance exists to help aspiring cyber leaders accelerate their path to the top. Most cybersecurity professionals feel stuck in functional roles; their careers are rising at a slower pace than a snail trailing across the wet cement.
When you search the phrase ‘How to Become a CISO’, Google will return more than 1.5 million articles and web pages. Sifting through this content, most of which substandard, is tedious and overwhelming. Granted, the domain of cyber leadership is vast and complex; there is no one path to the chief information security officer position. We have written this blog to share some practical insights for aspiring cyber leaders to accelerate their path into the c-suite and excel in those executive roles.
THE SHIFT TOWARDS THE BUSINESS SAVVY CISO
About a decade ago, the CISO role was largely confined within the corridors of the IT function. IT Security managers (most senior cyber leaders) deployed and maintained a portfolio of technical solutions, such as firewalls, internet proxies, intrusion detection systems, email security gateways and endpoint security. The role of the CISO certainly looks very different today. It has now expanded beyond compliance focus into a strategic role that anchors business growth and long-term brand success.
The rapid shift in competencies that determine success was confirmed by the October 2020 PwC’s Global Digital Trust Insights Survey, which revealed that 40% of executives prefer a chief information security officer who can successfully lead complex transformation. Corporate directors’ expectations are aligned — they prefer CISOs who exhibit solid soft skills, primarily persuasive communication, the ability to analyze complex matters, creativity, and critical thinking.
In a recent interview with Security, Phil Zongo, CEO of the Cyber Leadership Institute, underscored that curiosity, determination, and self-awareness are better predictors of a cyber leader’s success when compared to technical proficiency. The PwC survey also cited that CISOs who are innovative with proven leadership skills, strategic thinking, and the ability to take smart risks are highly sought after by executives compared to their technical counterparts.
ACADEMIC AND TECHNICAL CERTIFICATIONS
By nature, most CISOs graduate with information technology or computer science degrees. These undergraduate degrees helped them get their foot in the door. During the course of their careers, most chief information security officers attain multiple professional CISO certifications, most notably the following two:
- CISSP (Certified Information Systems Security Professional) – Long considered the gold standard technical cybersecurity certification, CISSP is heavily focused on network security, architecture, operations, access management, asset management and secure systems development. CISSP is administered by the International Information System Security Certification Consortium (ISC)².
- CISM (Certified Information Security Manager) – Offered by ISACA, CISM focuses on the governance, program development and management, incident management and risk management aspects of cybersecurity.
It can take anywhere between 6-12 months to study and pass both exams. While each requires at least five years’ experience in a related discipline, passing the exam can deepen knowledge in essential cybersecurity pillars and demonstrate passion to potential employers.
Granted, there is a variety of cybersecurity certifications, but these two, both of which were rated the best InfoSec and Cybersecurity Certifications of 2020, are most relevant to the CISO role.
As more and more CISOs acknowledge their blind spots, they are adding MBAs to the academic portfolios to blend their technical expertise with entrepreneurship, strategic thinking, and leadership skills. An MBA from a reputable university can be a differentiating factor in the crowded market. Furthermore, MBAs provide a solid ground to develop strategic relationships, broadening one’s career prospects.
A study conducted by Kaspersky Lab, which polled the perspectives of 250 security directors globally, found that 68% of CISOs held a master’s degree of sorts, with an increasing trend among them to pursue MBAs in a quest to sharpen their business acumen, a prerequisite to success.
At the Cyber Leadership Institute, we created an intensive and highly collaborative eight-week course that has empowered chief information security officers and cyber leaders from more than 30 countries with practical strategy design, influencing, governance, board communication, and leadership skills.
All signs indicate that business executives and corporate directors are starting to feel the scourge of cybercrime and are taking lessons to heart. We can easily predict that the demand for business-centred CISOs will keep soaring as companies seek to provide assurance to their strategic business partners, regulators, and customers that their cybersecurity capabilities are robust and fit for purpose. While technical proficiency still has its place, our experience suggests that professionals that develop strong personal brands, a deep understanding of business realities, persuasive communication, and an ability to influence powerful stakeholders will undoubtedly rise above the din.