So you think you want to be a CISO…

Information Security is a great career path, but there are a few things you should think through before starting the trek down the information security highway.  The CISO (Chief Information Security Officer) creates new security obligations within an organization and must be the enforcer of any obligations produced.  Think of it as being the first person to ever set a speed limit on the highway then tell people they will get a ticket for going over the speed limit.  If you are like most of us, you probably speed every now and then just like most computer users break security laws on a regular basis.  In case you are still thinking it sounds easy enough to be the enforcer, let’s see what all is involved in creating a successful CISO.

First, you must have an inner determination that drives you outside of receiving a word of thanks from others.  That’s because information security is more thankless than most IT jobs which is saying a lot.  Security officers must regulate data security.  The officer must enforce security regulations with everyone, including executive management.  In the real-world, that’s kind of synonymous with telling your CEO that he is not the boss.  The CISO must also obtain buy-in to roll out and enforce new policies.  Security is ever-changing, and the CISO must have a good enough relationship with upper management to be able to gain buy-in as he rolls out new changes.  It’s worth a re-mention that the CISO has to be well spoken enough that he must tell the CEO he is not the boss while also getting buy-in from upper management on new policies.  That is a tough balancing act even for the best employees.

portsec_securityThe CISO must also be willing to admit and change when a policy is not working.  Some of the most simple security changes may create a political backlash like no other.  It’s those times where the CISO must review what changed and determine the next best step for the organization as a whole.  This is yet another political balancing act wherein data must be secured while customers must be happy enough that the CISO doesn’t lose his job.

It’s definitely not easy to be the enforcer, but here are a couple of suggestions if you still want to make your way to the top of the security pyramid.  Obtain a CompTIASecurity+ designation.  This is definitely not a CISSP, but it gives you good entry level knowledge of the field which will help determine if you want a long-term career in information security.  Whether you already work in IT (Information Technology) or not, find a way to get involved with your information security department.  Someone already in IT can work to become a liaison to the information security team.  If you are not in IT, tell someone in your IT department you want to become a super user for your application and that you’d like to help make sure your department is as secured as possible.  IT departments are always overloaded and would love extra help from internal staff.


*Originally posted through the PortSec blogger.