The role of the CISO has evolved, and so have the responsibilities. Some believe a CISO must have technical knowledge and experience as a cybersecurity professional, others think leadership skills such as being able to communicate with boards are what matters most.
Ultimately, the hiring organisations will define what it needs in terms of cybersecurity to find the right person. In finance and insurance, for example, there will be specific rules that must be followed in different countries and cybersecurity leaders in such organisations may even be liable. In telecommunications, the skills required are likely to be more technical, whereas in government knowledge around governance and risk are top of the list.
“For instance, a smaller organisation which is a greenfield site, or a large multinational where there is already an established security function require different sets of skills and approaches,” Joseph Head, director technical security at Intaso tells CSO. “There are a few commonalities between all CISO roles, however: an understanding of risk and risk appetite — in other words, an understanding of the business, and how much risk it can carry. This dictates how much work a CISO must do, and therefore available budget. Unlocking that budget can only be done by communicating effectively.”
Whether technical or managerial skills, those aspiring to become CISOs, CSOs, or VP of security will need to acquire these skills somewhere. CSO has spoken to a few current and former CISOs across different countries on where to acquire such skills.
CISO skill-building stories
Whether they learn on the job, through a certificate or at university, cybersecurity professionals have many ways to acquire skills to get the top jobs. Clarifying a point he made on a LinkedIn post, Head tells CSO that “a high-level [of technical] understanding is still important, but [CISOs] certainly do not need to know the granular details of everything in security. I have seen quite a few descriptions for CISO jobs asking them to be able to code in Python or be an expert in AWS. This is clearly not the job of a CISO.”
CISOs need to be competent in four areas, according to Tony Vizza, the executive director at KordaMentha in Australia.
- They inherently need to understand IT.
- They need to understand fundamental principles of information security and risk management.
- They need to understand the legal and regulatory environment which they operate in, which are usually dictated by privacy regimes.
- They need to have a fundamental understanding of how people and business work.
His professional experience started with a computer science degree from the University of Technology Sydney followed by an Executive MBA from the University of Sydney. He then studied for and attained numerous credentials in cybersecurity, risk management, and privacy, including CISSP, CISM, CCSP, CRISC, CIPP/E and ISO 27001 Senior Lead Auditor certifications. “And I haven’t stopped. I am planning to complete my CIPP/US privacy certification, CGEIT enterprise IT governance certification and GAICD course in director governance in the next couple of years as well as finishing off my Juris Doctor law degree,” he tells CSO.
Biljana Cerin, CEO of Ostendo Consulting in Croatia, started her career from college where she studied computer science at the University of Zagreb. Soon after she started working as a security software engineer. “Once I got in touch with security standards, I became more interested in the overall governance, risk management, and compliance principles related to information systems security,” she tells CSO. She then acquired industry certifications such as CISM, CISA, CGEIT, CBCP, CISSP. Later, once she started managing information security projects, she also obtained the PMP certification. Nowadays, she advises CISOs on establishing efficient cybersecurity risk management strategies, primarily in very large organizations.
Another trend of the industry is defense personnel becoming cybersecurity professionals. That is the case of Narelle Devine who is the CISO of Australia’s largest telecommunications provider, Telstra. Devine was an officer in the Royal Australian Navy, where she eventually assumed the role of director Navy Cyber Warfare. She tells CSO that not just the Navy, but the Australian Defence Force, the federal government and the broader Five Eyes alliance offer great training opportunities.
Devine has also acquired a lot of diplomas through the Navy and elsewhere including graduate diploma of communications and information systems, advanced diploma of maritime studies, certificate IV in government (procurement and contracting), among others. From the University of New South Wales she also acquired a bachelor arts (English and information systems), master of science (information technology) and master of systems engineering.
After leaving the Navy, Devine became the CISO for the then Department of Human Services (now Services Australia), where she built a new state-of-the-art cybersecurity operations centre, uplifting the capability from 25 to 250 personnel.
Many professionals also learn on the job, like Hilary Wilton, who is the CISO at Kordia in New Zealand. Walton, who started her working career as a psychologist, tells CSO that the role of a CISO is about keeping an organization’s information security management system (ISMS) running effectively. Learning about and understand the different components of an ISMS was where she started by doing ISACA’s Certified information security manager (CISM) certification “to give myself something to hang my knowledge together with,” she says. “I was used to the concepts of risk and safety management systems, so learning an information security one felt similar.”
Wilton has also built up a lot of skills applicable to the role by running relevant programs, such as embedding risk management into a company, and developing safety management systems. She became familiar with the skills involved in reporting to governance layers by working in roles that provided governance material and reports to the executive team and board, as well as the concepts around risk and governance that these leaders need to understand.
Certifications for CISOs and where to get them
Quite a few certifications are required, or expected, of CISOs, and when looking at CISO’s LinkedIn profiles, for example, one is likely to see all these acronyms that follow their names or role. Here we list some of those that cybersecurity professionals are usually after.
Certified Information Security Manager (CISM) shows expertise in information security governance, program development and management, incident, and risk management.
Certified Information Systems Auditor (CISA) unrelated to the US Cybersecurity and Infrastructure Security Agency — is for those for those who audit, control, monitor, and assess an organization’s information technology and business systems.
Certified in the Governance of Enterprise IT (CGEIT) is for those aspiring for executive positions that shows how to handle the governance of an entire organization and consider a move to the C-suite.
Certified in Risk and Information Systems Control (CRISC) is for those looking to show their knowledge on enterprise IT risk management.
All the certifications mentioned above are offered by the non-profit professional association ISACA. Costs for the exam are $575 USD for members, and non-members pay $760 USD. Courses to prepare for the exams can be quite pricy, costing up to $2,500 USD in Australia or as little as $23 USD online.
After passing the exam, a formal application must be submitted to be certified, this has a cost of US50. To maintain the certifications, fees of $45 USD for members and $85 USD for non-members must be paid annually.
Other certifications include:
Certified Business Continuity Professional (CBCP) for those who have demonstrated both knowledge and skill in the business continuity/disaster recovery industry. It is offered by DRI and requires more than two years of experience. Applicants must be able to demonstrate specific and practical experience in five of the subject matter areas of the Professional Practices. Like the previous certifications, this requires an ongoing commitment to continuing education and industry activities.
Certified Information Systems Security Professional (CISSP) for those who can design, implement, and manage a cybersecurity program at the enterprise level. It is offered by the non-profit International Information System Security Certification Consortium (ISC)2. Registration for the exam is $749 USD plus annual maintenance fees of up to $125 USD.
Certified Cloud Security Professional (CCSP), also offered by (ISC)2, for those that have the advanced technical skills and knowledge to design, manage, and secure data, applications, and infrastructure in the cloud using best practices, policies, and procedures. The exam costs $599 USD.
Certified Information Privacy Professional (CIPP) is offered by the International Association of Privacy Professionals (IAPP) and it has different areas of focus.
- CIPP/A is focused on Asian privacy and teaches laws that govern data use, collection, and transfer in top Asian markets.
- CIPP/C teaches federal laws such as the Privacy Act, PIPEDA and CASL, major provincial statutes, and emerging issues in Canadian privacy practice.
- CIPP/E encompasses pan-European and national data protection laws, key privacy terminology and practical concepts concerning the protection of personal data and trans-border data flows.
- CIPP/US gives privacy professionals the knowledge to manage compliance within the legal web of federal, state, and local privacy regulations, and minimize the risks of regulatory fines and brand damage.
CIPP certification exams cost $550 USD and have a biannual maintenance fee of $250 USD. IAPP offers free resources but training courses from training partners can cost $1,995 CAD, for example, and some offered by IAPP range around $1,495 USD.
Many more options are available including courses on project management and ISO, such as ISO/IEC (information security management) 27001.
Industry associations offer courses and networking opportunities
Networking, books, and podcasts are also sources of knowledge for CISOs. Kordia’s Walton says the most valuable development experiences she has experienced in cybersecurity were working with and learning from other information security people, reading, listening to podcasts, and attending conferences.
She suggested two LinkedIn groups NZ Network for Women in Security and the Women in Security & Resilience Alliance (WISECRA).
KordaMentha’s Vizza recommended books on power and leadership by organizational behavior specialist Jeffrey Pfeffer.
Podcasts recommended by Walton and Devine include:
Ultimately, all agreed that networking is a powerful source for those looking to get the top job. Talking to peers will help identify topics of interest, what the industry needs most at any given time, what those hiring is looking for, etc. Commonly suggested organizations to join that offer learning materials and opportunities to network with peers include international professional association ISACA, (ISC)2, the Project Management Institute (PMI), the Australian Information and Security Association (AISA), and the Australian Woman in Security Network (AWSN).