The CISO Pilgrimage

The 1961 musical How to Succeed in Business Without Really Trying opens on a window washer (currently being played in the Broadway revival by ‘Harry Potter’ Daniel Radcliffe and originally on both stage and screen by Mad Men senior partner Robert Morse). Armed with a copy of the eponymous book, he steps gingerly onto the bottom rung at the World Wide Wicketts Company. By diligently following the book’s advice, two, maybe three weeks later he’s chairman of the board.

The bad news is that it’s a lot harder and more grueling than that – more like a 20-year effort – to become a CISO. The good news is that you’re probably starting with better credentials than a sponge and a squeegee, and your first job won’t be in the mail room.

Starting Points

The speed of change means that today’s CISOs have not, generally, followed the path that today’s graduates will have to take.

“When I did computer science as a degree course 30-odd years ago”, says Frank Coggrave, general manager EMEA for forensics software specialist Guidance Software, “there were probably three universities in the country that had a computer science course.”

Paul Dorey, who was CISO at Morgan Grenfell, Barclay’s, and BP before setting up CSO Confidential, says, “I didn’t climb a ladder. I stood on a platform and it rose. My only job was not to fall off as it went up.”

And that’s it: today’s CISOs invented their jobs. Dorey, for example, thinks he was the first operational risk director in Europe. Many got their start because they were the only people who had ever configured a firewall – or the only ones willing to try.

The difficulty for newcomers is that they don’t have the luxury of learning the ropes step by step over decades. Instead, they must quickly learn all of the past while simultaneously following current developments. It’s a tough road.

It’s not a job or a career, says Peter Bassill, a member of the London chapter of the ISACA Security Advisory Group and CISO of a large betting and gaming group. When you’re working 40-hour weeks in the office and then going home to do research to become a better security person, “it’s a lifestyle choice”.

Higher Education

Like many of today’s CISOs, Bassill began his career before university degrees were available. Similarly, Roger Southgate, a past president of ISACA London and an independent governance and risk consultant who has served as both CISO and CIO, began as an accountant, rising to chief accountant for a Japanese bank’s investment arm. When computers arrived, he wound up writing accounting systems, which led him logically into security.

Bassill learned by, “Reading and more reading, and learning from as many people as possible. Leaching information from every available source in my spare time while I was a UNIX administrator and coder.” By now, though, Bassill has many professional qualifications: CISSP, GCFA, and CITP.

Most of tomorrow’s CISOs, however, will begin their journey with university degrees.

“We’re starting to see a change in the professionalization of security now”, says Coggrave, who adds that a background in forensics is becoming increasingly important to employers, as is a good-quality degree from a good-quality university. “They want someone who has an understanding of how things hang together before they even start getting involved”, he says.

First Job

Getting that first job is the old conundrum: You can’t get experience without a job, but you can’t get a job without experience.

Bassill warns that, “You’re going to be breaking in at the low end of the security market.” Typically, you’ll start at either a large end-user organization or a vendor. While there are fewer opportunities for career advancement at a vendor, you will still gain good experience and meet a range of clients, one of whom may provide your next job. Expect your first job to be somewhat dull, he says: security administration, leg work, donkey work writing policies.

Unfortunately, the recession has led large companies to discontinue or severely cut graduate training programs. Dorey suggests offering your services as a US-style intern, as often academic courses leave graduates with lots of theory but little business grounding.

It was to counter this problem, says Philip Anderson, a senior lecturer and program leader for the six-year-old BSc Hons computer forensics degree at the University of Northampton, that the school’s course includes a year of business placement.

“We’ve had a pretty good success rate in finding jobs for our first graduates”, he says. Many returned to the companies they worked for during their placement year.

Next Steps: The Softer Side

Soon, however, you will need to move into a large organization that has opportunities for advancement. There, says Roger Southgate, the goal is to broaden your skill set. The role of a CISO is not a technology job; it’s a board-level business job.

“Security is very competitive, so you have to have differentiators”, says Chris Batten, managing director of the recruitment agency Acumin Consulting, who tends to see people after they’ve had a few years’ experience.

“The rising stars in security”, he says, “tend to be individuals with rounded experience who can persuade, sell, and raise awareness of risk and make it exciting.”

Possessed with grounding in information risk and a technical understanding of applications and networks, he says, “they have illustrated that they can engage with clients and hold their own in competitive end users, and they have a hybrid skill set that allows them to do almost whatever they want.”

It is important to acquire capabilities in team leadership and/or business development, he says. “That’s what we like to see”. In other words: “soft skills”.

In addition, Batten and many others recommend pursuing industry qualifications such as CISSP to establish your credibility and capability.

Above all, everyone agrees that networking is very important, and not just online in groups on LinkedIn and Facebook, but in the real world, through professional societies and other organizations.

“You don’t network effectively if you’ve never met somebody, and you don’t get known in the market on the back of a blog”, says Batten. “If you hide away – and a lot of security people do this – then you are restricting your career.”

In addition, he says, find two mentors – one who will tell you you’re an idiot and another who is “a bit more empathetic”. Between them, “You will gain a huge amount of experience and knowledge” – and help accelerate your career.

Reassessment

Do not go blindly into career competition. Stop and ask yourself: Is this really what you want?

Rhonda MacLean, founder of Arizona-based MacLean Risk Partners and former global CISO of Barclay’s Bank, says that in mentoring both men and women she’s noticed that, “When you’re young in your career you can get fixated on a title and think, ‘I want this title’. What they maybe haven’t thought through is what comes with that title other than the prestige and the compensation.”

This is important to avoid. “I always try to [encourage] people to go with their values and what makes them happy.”

MacLean herself only moved into security mid-career. “I was a problem solver in IT and business problems.” One day she was sent to solve a security problem and she was hooked. “I’m a person who loves challenge, working with teams, playing games – how can I outsmart that move? For people who like that kind of thing, this is a great career.”

Reaching the Top

It takes a lot of leadership ability and, says Dorey, gravitas to fit in at board level. Speeding through the ranks is not necessarily your long-term friend.

“If you want to climb fast then you have to get into the mindset of trying to identify the next wave of growth business that is going to use technology – but be sure you’re prepared to work 24/7 to ride that wave”, says Southgate. “The only problem with that fast track is it won’t give you much time for networking, getting additional qualifications, or joining associations.” Which is of course, the thing that everyone agrees you need to do – both to be good at your job and to make yourself board-level material.

Dorey believes that the two hardest leaps are the one from student to first job – and the final one to CISO. For one thing, Chris Batten estimates that there are probably 750 CISO jobs in the UK and some 70,000 people working in information risk management; that’s more competitive than Harvard. Fortunately, not everyone wants to be a CISO.