What makes a CISO employable?

The role of head of security and IT risk management at Deloitte, for example, includes developing, articulating and delivering a business-aligned security and IT risk management strategy. The remit is wide, and includes strategy and communications, risk management, IT security operations, investigations/incident response, security development, IT business continuity planning/disaster recovery and client engagement consulting.

Balancing these requirements with the objectives of the business is essential, as ultimately the role exists to enable and assist Deloitte in achieving its strategic aims.

Demonstrating a healthy return on investment, and operational efficiency whilst maintaining the appropriate risk profile for Deloitte, is also integral. There are a number of competencies and skills that need to be drawn upon daily that a CISO must possess and demonstrate, not only to emanate credibility, but also if they’re to rise to these business challenges.

Education

In its survey titled ‘Information Security Career Progression’, ISACA discovered that 72% of respondents felt education was important for obtaining a job in information security, and 78% for promotability within a career. In addition, 84% of respondents stated that education was important because it added value to their role in security.

To truly understand information security, a professional requires three fundamental streams of education:

• A technical foundation is required, as the majority of information assets are electronic, and having an understanding of their complex construction is vital. Ideally a combined business and IT and/or security degree would prove useful, as this would provide an understanding of industry frameworks, approaches, and standards (ISO27001, COBIT, ITIL, etc.) and also provide the fundamentals of business management.
• The CISO should also pursue continuous education, such as vendor-neutral certifications, including Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM) and Certified Information Systems Auditor (CISA). These qualifications refresh the memory, invoke new thinking, increase credibility, and are a mandatory part of any sound internal training curriculum.
• Surround yourself with excellence. Deloitte’s Information & Technology Risk (I&T Risk) team, headed up by Simon Owen and Mike Maddison, was voted the best security consultancy last year by Forrester and Gartner. Working with an excellent team and keeping an open mind to look at things from every angle is an invaluable education.

Industry certification

Derek Oliver, CEO for Ravenswood Consultants, and member of the ISACA London Security Advisory Group, speaks from experience about his own educational background. “Although I have a PhD in security information management, the two qualifications that I am most proud of, and that have opened the most doors for me, are CISA and CISM”, he says. “A good CISO needs to understand risk management and security governance, both a critical part of CISM.”

Recognition and respect is growing for the sought-after CISM certification, which has grown rapidly since ISACA introduced it in 2002. More than 13 000 professionals worldwide have earned the certification, and those holding the credential are able to command pay premiums, according to research by the independent Foote Partners LLC. In the Certification Magazine 2007 Salary Survey, CISM comes in as the second-highest held IT certificate.

The ISACA Career Progression survey also found that 92% of respondents indicated that their professional certifications are important to demonstrate competency in their job, 89% felt certifications are important for gaining professional recognition and 83% pointed to their importance in gaining recognition from peers. Additionally, 77% felt they were important in qualifying for a new position. Technical certificates, however, did not hold the same value, with only 38% saying that having a technical certification was important.

Involvement in industry events and forums is also an important aspect of education. It provides a platform from which to share experiences with other CISOs and explore how they have tackled common industry problems and challenges. It also helps CISOs familiarise themselves with the continual developments in the world of technology.

Peter Bassill, CISO for Gala Coral Group, has the following sound advice: “Ensure you have a delicate balance between keeping abreast of industry trends by attending seminars and conferences, but equally your job is to keep the company safe and you can’t do that if you’re not there.”

Professor John Walker, a cybersecurity and IT forensic consultant at Secure Bastion, and member of the ISACA London Security Advisory Group, adds that “Those looking to secure employment within a specialist field, for example the government sector or financial industry, need to ensure that they’re au fait with any relevant standards and legislation. It’s not just being able to walk the walk, you need to talk the talk to and change step as you change doors.”

Experience

A demonstrable track record is absolutely imperative, and working from the bottom up is essential as it ensures you have a good understanding of all implications when making decisions. The decisions and recommendations you make may have a major impact on an organisation’s security/risk posture, operational cost, efficiency and agility.

Derek Oliver believes that the biggest threat is people. “If you understand people then you can predict the weaknesses that they introduce, and this is why experience as an auditor is ideal for the role of CISO. My 20 years of audit security has taught me you have to examine every angle of what you’re trying to prevent. It gives greater understanding of why, and ultimately how, it needs protecting in the first instance. In fact, there are some large banks that insist that all senior management have some experience in audits.”

Skills

When looking either for employment, or to further your career, the skills you possess and demonstrate are as vital a component as education and experience. You need to have an engagement strategy that demonstrates how you will deliver results and deal with individual requirements and people whilst maintaining security at an organisation.

According to Sarb Sembhi, the president of ISACA’s London Chapter, “The way organisations secure their enterprise is changing, with an increasing amount of security outsourced, and therefore the skill set a CISO needs [must] adapt. Historically, the role required someone who understood security first and foremost, and the additional soft skills – such as organisational politics, project management, and people skills, could all be learnt on the job. Today, someone looking to take on the role must have these abilities as a pre-requisite.”

Strategy

There are six key principles that a CISO may wish to base their career on:

1. Engage with the business. CISOs need to demonstrate an ability to navigate their way within the organisation by developing relationships with key stake-holders. An aptitude to discretely understand the organisation’s politics, expectations and concerns is essential. Finally, they need to display a competence in qualifying the level of investment that is appropriate for any security initiatives, whilst ensuring the proposal is relative to the organisation’s needs. You can’t, and shouldn’t, make changes without fully understanding the impact they will have, determine whether the investment is necessary, and can justify the expense or identify the impact to revenue streams.
2. Focus initiatives on what is learnt. A CISO needs to understand not only their own area, but also that of the business and where they fit within the organisation. Spend time engaging the business before producing security strategies. The engagement process will enable you to define the strategy’s core work streams. This will ensure the strategy has complete buy-in and sponsorship from the business and is in line with objectives.
3. Align, target and time initiatives. Convey an understanding of the business strategies aligned with the challenges facing IT – mergers and acquisitions, regulatory pressures, financial pressures and competing initiatives. Using this understanding, map out the next 12-, 24- or 36-month period in comparison to what the business is trying to achieve strategically and tactically. Doing this will also provide you with the agility to propose any unplanned changes that may emerge throughout this period.
4. Service delivery. Often people forget that what they are selling, ultimately, is themselves. Focussing on quality, presentation, punctuality, and physical appearance will make a difference. Adding value is the mantra for every conversation you have. Articulate the reduction of total cost, demonstrate a return on investment, reduce risk where possible, and show that you’re adding value. Applying a consistent and customer-aligned approach is an obvious but often forgotten principle. Tailor your pitch to your audience; whether technical or business, language makes a big difference.
5. Credibility. Don’t be afraid to discuss your success stories. Promote the wins, highlight the risks negated, the costs reduced and support all of these conversations with case studies, industry information and supporting opinions of senior colleagues and respected personnel within the larger security community. Peter Bassill concurs: “Conduct some research, publish some whitepapers, and raise your profile. As a security professional it’s important to ensure you have some credibility within the industry if you want to be taken seriously.”
6. Relationship management. CISOs should recognise that decisions are influenced at all levels. They should be able to identify who the authoritative personnel are within the chain and to hone an approach that ensures buy-in from all levels. Derek Oliver has a good analogy: “Never use a ‘doing’ word with an executive, as their job is to observe, not to get their hands dirty. Security costs money, with many organisations seeing it as a black hole. You need to communicate at this level why a firewall is needed and be able to justify the expense.”

The profile

Historically the typical age of a CISO is between 40 and 60, and they often have a background of technical security/consulting. However, security forums suggest evolution, including an increase in people from the legal profession and senior business managers joining the industry, primarily as regulation and law become more apparent.

Peter Bassill’s view is that “there isn’t a typical profile, but one trait is that they’re all workaholics and addicted to their jobs”.

John Walker believes the role of CISO is evolving and that “those capable of acting as an operational chameleon will increasingly be desirable when looking to fill this position, especially with the economic downturn, as companies look to reduce the size of the workforce and amalgamate roles, of which the CISO is a perfect example. It’s not just about having the right qualifications but underpinning them with understanding and the ability to think outside of the box. Increasingly a holistic view will be required – rising above the problem and seeing a number of solutions with the ability to identify the right one for the organisation at that moment.”

Sarb Sembhi predicts that “converged security risk management will also affect the future profile of the CISO. As we move forward the remit will not just incorporate information security but will encompass physical security, so these will converge with logical security and the skill set will need to expand.”

Combining the six previously outlined principles with a strong relevant educational background, industry experience and a demonstrable track record will help secure a CISO position today. However, to ensure you keep the post, you need to come out of your ivory tower and stay abreast of developments at the coal face.