May 2024 – 370 Security Blog

Accelerate Your CISO Career By Investing In Your Brand

When I was in the military there was a single consistent phrase that was repeated to us over and over again – reputation matters. Even though the military is a large organization, your specialization creates a small group and so how you perform and behave will stay with you throughout your career. This concept is no different from the security industry. How you demonstrate expertise, how you present yourself publicly and how you engage with the rest of the industry all contribute to your reputation. In this post I’ll explore why reputation is so important, activities that can contribute (or detract) from your reputation and how your reputation can accelerate your career.

Your Reputation Is Your Brand

Social media has made it extremely easy to have an online presence and it is easy to contribute to your profile using your device of choice. Sites like LinkedIn, WordPress and Medium have made it possible to have a digital resume documenting your career history, expertise and daily interactions with others. All of these interactions contribute to your reputation and ultimately your brand. But, what is brand and what does it mean to have a brand? Let’s dig into this.

What Is Brand?

Your brand is your reputation, but it is also broader than that. Reputation is whether individuals and your community view interactions with you in a positive or negative way. You reputation is a reflection of trust, credibility and reliability (or lack thereof). Brand is an extension of this foundation of trust. It is how you externally market yourself to people inside and outside your community and can be viewed as taking an active role in managing how people view you.

Why Should I Care About My Brand?

Whether you like it or not you have a brand. If you use the internet, play video games or use free services (like Gmail) you are discoverable on the internet. You should care about your brand because if you don’t actively manage how you are perceived, then you could be perceived in a negative way. Another way to think about brand is: there is a conversation happening around you whether you like it or not. Participating in and leading that conversation is going to be beneficial and advantageous to your brand (otherwise someone will do it without you).

Furthermore, if you aspire to land a top CISO position at a public company you can expect the company to research your background using publicly available sources like LinkedIn. They will do this not only to determine if you are a good fit for the role, but also as a way to understand and manage their brand and reputation. They don’t want to hire someone who has a bad reputation, whose viewpoints don’t match with their culture or could be a liability to the company.

Unapologetically Build Your Brand

Let’s talk about ways to build your brand. First, the nature of our business can make security professionals reluctant to talk about themselves, but you need to set aside the notion that there is something wrong with promoting yourself. You are your own best cheerleader and no one knows about your strengths, accomplishments or expertise better than you. You are your own best advocate and you should embrace your role as lead brand ambassador.

I regularly see people on social media disparaging the notion of self promotion. They claim people who self promote are merely influencers and not actual practitioners of the role. This is completely false and you need to ignore this type of negativity. Some of the best practitioners constantly promote themselves (like Bruce Schneier and Brian Krebs) as a way to build their brand and demonstrate expertise.

Separate Your Brand From Your Company

Second, it is important your brand is separate from your company. Unless you own your own company, don’t fall into the trap of parroting all of the marketing material of the company you work for. The reason why you don’t want to do this is because you will work for different companies over the course of your career and if you tie your brand to your company, your brand could evaporate overnight if you change companies. Additionally, only posting about your company and current role will limit your ability to demonstrate expertise in a broader context. This means you could be viewed as unqualified for roles that require a broader skillset, larger scope or different industry.

Actively Manage Your Brand

Third, actively manage your brand by regularly doing an internet search of yourself to see how others may view you. If you see articles, podcasts, pictures, references, etc. that don’t align to the brand you are trying to cultivate, then follow the appropriate steps to request to remove those things from search or from the site hosting them. Your brand will evolve as your career evolves and there is nothing wrong with curating older content that no longer aligns to the current vision you have for yourself.

Building Your Brand

Brand is a tricky thing and as one of the people on my team likes to say: “reputation arrives on foot and leaves on horseback.” I equate brand and reputation to holding a baby bird – if you don’t hold on it will fly away, but if you hold on too tight you will crush it.

There are a lot of things you can do to build your personal brand starting with your personal vision. If you aspire to be a CISO at a public company then you need to model yourself after someone in that role. Having a good mentor is essential to identifying and understanding your current strengths and weaknesses so you can begin to model and demonstrate the skills, behaviors and expertise of the role you want.

Second, you need to demonstrate expertise and credibility for the role you aspire to achieve. Getting certifications is good, but certs aren’t enough. You need to participate in industry events like chapter meetings, conferences, round tables and networking events. It also means actively participating in the industry in a public way. Showing up at the aforementioned events isn’t enough, you need to actively participate and have a voice. Actively participating in the industry can consist of submitting a conference talk, giving a talk at your local chapter event, starting a blog or even just adding insightful comments on LinkedIn. The point is your active participation will establish your voice and begin to establish your brand, reputation, credibility and expertise.

Most importantly, be consistent. Don’t just show up when you need something or when your dream job opens up, but that time it is too late. You need to have a history of consistently contributing and demonstrating expertise. Being consistent also means following through and executing on your commitments. If you say you are going to do something, then do it. Your ability to execute and follow through will resonate with everyone you interact with, so being consistent is incredibly important for building a positive brand.

Think of your brand as a never ending resume. If companies or people search for you then they should be able to get some idea of who you are, what expertise you have and how you think as a CISO. The breadth of your brand should cover all conceivable topics a CISO may be asked to perform such as leadership, operations, compliance, board interactions, technical evaluations, etc. This expertise needs to be applicable to a variety of industries and companies to maximize your brand potential and maximize your ability to land your next role.

Destroying Your Brand

Positive interactions through conversations, posts, talks, etc. are the best way to build your brand, but it is even easier to destroy your personal brand. Here are a few things I’ve seen that can cause a negative reflection on your brand.

Negative Interactions

Trolling folks on social media or negatively interacting with people is a quick and easy way to impact your brand. People don’t want to be around someone that is negative, gate keeps the industry or consistently tears people down. A quick way to evaluate if your interactions are negative is if people are liking your comments or positively engaging with you. If you aren’t getting engagement or follow up to your posts you may want to re-think your approach. An easy way to measure your brand is by number of followers, connections, views or likes (depending on the platform). If you aren’t seeing this number grow you probably need to rethink your approach.

Misrepresenting Yourself

Another way to impact your brand and reputation is by mis-representing yourself. This can harm your brand in a few ways – first, it is easy for folks to determine if you really can do the things you say. If you don’t have the expertise, but claim you do, people will know and begin to avoid you. Second, the security community is a small one and mis-representing yourself will trickle around to others and inhibit your ability to get onto the shortlist for the biggest roles. The top roles usually involve a lot of back channeling to understand who will be the best candidate. Misrepresenting yourself is a quick way to get taken off the short list of candidates. Lastly, misrepresenting yourself not only causes noise for the rest of the community, but directly relates to the previous paragraph of negative interactions. A lot of times the most bizarre or negative interactions I have seen are coming from people that claim they have expertise, but clearly don’t. Your title, byline, profile summary, etc. all contribute to your brand and reputation. It is ok to be open and honest that you aspire to be a CISO, but claiming you have had a title you haven’t will directly harm your personal brand.

Oversharing

This is a tricky one to navigate, especially in our digital world, but oversharing can be viewed negatively, which will ultimately harm your personal brand. Remember, companies are going to research you and if your posts are consistently inappropriate, demonstrate questionable behavior or air dirty laundry about your life, then this can harm your personal brand and reputation. Posts like this are fine for social media sites that are designed for family and friends, but you may want to steer clear of posting these things on professional sites like LinkedIn. If you are pursuing a top level CISO position consider making your personal social media sites private and only viewable by family and friends. Similarly, clean up your professional sites like LinkedIn by removing questionable posts, comments, etc. A good guideline for LinkedIn is treat it like you are at the office – politics, personal health issues, controversial topics, etc. are best left for private conversations at home.

Hyperbole (The Sky Is Falling)

Another way to harm your personal brand is by constantly posting hyperbole. If you are constantly claiming the sky is falling due to a new vulnerability, new technology, new risk, etc. that can detract from your personal brand. You will quickly become part of the background noise instead of part of the conversation. Instead, add your own flavor or context for how folks should navigate the issue you are posting about to establish credibility and expertise.

Bad Headshots

One final aspect that can harm your personal brand is a bad headshot. Cameras are so good these days that there is really no excuse for a poor headshot. Bad lighting, selfies in a car, pics that clearly have family / friends cropped out are all conveying a poor impression to companies and connections. If you aren’t going to invest in yourself why should they invest in you? Do a little research on how to set up a good headshot and use the portrait mode on your phone to take a decent headshot. Find people on social media that have headshots you admire and try to mimic those. Even better, pay the money for a decent headshot. They will last a few years and speak volumes to potential companies and recruiters. Headshots are your first impression to employers and so they should convey the appropriate level of professionalism for the CISO role you are aspiring to land.

Wrapping Up

Your reputation and brand are important to establish credibility and expertise that you are qualified for a top CISO role. If you aspire to be a top CISO at a public company your brand is a must have to get onto the short list of candidates. Companies research top candidates and rarely hire unknowns into top roles. Establishing a brand for how you think and what you are good at will help demonstrate you are qualified for these roles and differentiate you from other candidates. Build your brand by being consistent, positive and demonstrating breadth. Get a mentor, work on skills and take a decent headshot. Consider your brand like a never ending resume that is difficult to build, but easy to destroy. Actively taking control of your brand will help establish not only how people interact with you, but how they remember. You never know…the next person that remembers you could want you for their open CISO role.

Whats The Difference Between A CSO and CISO?

Like Arnold Schwarzenegger to Danny DeVito in the movie Twins, the Chief Security Officer (CSO) role is the big brother to the Chief Information Security Officer (CISO) role. What is the difference between these two roles and what skills does a CISO need to focus on if they aspire to become a CSO? In this post I’ll explore the role of the Chief Security Officer (CSO) and what additional responsibilities the role covers when compared to the CISO role.

Big Brother

Lately, there has been a lot of focus on the Chief Information Security Officer (CISO) role following the new SEC guidelines, recent ransomware attacks and supply chain security vulnerabilities (XZ). There can be a lot of different titles for the top security executive at a public company, but the two most common titles for a public company are Chief Information Security Officer (CISO) and Chief Security Officer (CSO). The Twins movie is a good analogy to describe the relationship between the CSO and CISO because in the movie Arnold protects Danny DeVito by helping him avoid trouble, while Danny is super scrappy and shows Arnold how the real world works. They complement each other, protect each other and help each other. One is the overall leader and one has a great hustle.

What the Twins analogy highlights is the main difference between a CSO and CISO is scope. A CSO typically has a bigger scope than a CISO. A CISO will have responsibility for all of the information and technology assets of a company, but a CSO will have this responsibility and additional responsibilities for physical security, executive protection, corporate investigations and other non-information technology based security domains. In fact, for public companies that have an established CSO role, it is typical for the CISO role and function to report to the CSO as one overall security function. Let’s dig into some of the additional functions of a CSO.

Like Arnold Schwarzenegger to Danny DeVito in the movie Twins, the Chief Security Officer (CSO) role is the big brother to the Chief Information Security Officer (CISO) role.

Physical Security

One of the biggest responsibilities for a CSO is physical security. Physical security includes site security for offices and the physical security of the personnel working at the facilities were the company operates. This can include things like cameras and video monitoring, badging systems, security and fire alarm systems, safes, locks, lighting, parking and loading docks, contractor access, mail and package security, bollards and traffic control, security guards and gates, fencing, fire suppression and other physical environment aspects. Depending on the nature of your business, this could also involve supply chain security of manufacturing facilities and components, or even critical infrastructure. It can also include tempest and RF control, including design and management of classified spaces.

One interesting aspect of physical security is to work with construction companies or physical security consulting firms to design and assess the security controls of your facilities. Books like Red Cell by Richard Marcinko offer an interesting historical perspective of how the military physically tests the security of their military installations and public companies should similarly consider an annual or periodic review of their physical security for weaknesses and risks.

If your company is involved in manufacturing, another interesting aspect of physical security is supply chain security and logistics. This is ensuring your products are manufactured securely and aren’t tampered with during the manufacturing process. It can also include assessing the security of component manufacturers, assembly plants and even shipping and logistics companies to make sure your products arrive to your customers and are functioning securely.

Lastly, another aspect of the CSO’s physical security responsibilities is interfacing with local and federal law enforcement for trends, threats and dealing with physical disruptions at your places of business like the recent examples of protests at Google offices.

Executive & Travel Protection

Another responsibility of the CSO, which is related to physical security, is executive and travel protection. Executive and travel protection covers how to physically protect your top executives from threats when they are in public, traveling, at their offices or at their homes. This can include arranging trusted transportation, route planning, on site security surveys, sending advanced teams ahead of the execs, kidnap and ransom insurance, medical support and even online reputation management. You may even arrange training for your execs such as mock kidnapping situations or how to deal with other emergency situations (like riots, terrorist attacks, wars or coups).

Executive and travel protection can include interfacing with local embassies, law enforcement or emergency services depending on the threat level of the country your senior execs are visiting. This is in addition to the existing CISO responsibilities of interfacing with law enforcement for security breaches, APTs, ransomware attacks, digital fraud, etc. Exec and travel protection can also include arranging for security companies to beef up the security of their home(s) and arranging to have their home security monitored by a private security company (if this is part of their perquisites).

Lastly, one very important aspect of executive and travel protection is digital device security. This responsibility may get delegated to the CISO, but the CSO still needs to understand and include digital security as comprehensive part of their executive protection strategy. Certain countries are known to be digitally hostile by attempting to siphon information from or compromise the devices of executives at top companies. This can be attempts at industrial espionage, theft of military and defense information, gaining business advantages, disrupting business, leveraging the exec as an attack vector into the broader company, trade advantages or potential blackmail. The CSO should consider these risks based on the destination country and provide appropriate controls to executive devices such as providing burner phones and laptops for specific country use that are sterile and won’t impact the company or personal reputation of the executive if compromised.

Executive and travel protection is important to ensure your top execs are safe and secure when traveling, but also, if your business is controversial or your top execs like to make controversial statements, this function can ensure they are safe and protected no matter what situation they are in.

Corporate Investigations

One final area of responsibility for the CSO is corporate security investigations beyond the normal technology investigations handled by the CISO. Corporate security investigations can include theft, financial crimes, waste, abuse, vandalism, misconduct, bribery and supply chain control (for ITAR or other export / import laws). You may work closely with law enforcement at the state or federal level depending on the nature and scope of the investigation and the CSO function is critical to coordinating the investigation and representing the business appropriately. Corporate investigations can also involve acting as an expert witness or providing testimony in court on behalf of your company.

One important aspect to remember is, CSOs need to have clear processes and policies defined for how and when to involve law enforcement. The decision to involve law enforcement may be based on legal requirements or may be based on other decisions, but involving law enforcement gives up control of the investigation, which could result in property being confiscated as evidence. If the evidence is a critical business asset like IT equipment, the CSO needs to ensure there are redundancies in place so the business is not disrupted or left without that capability while supporting the investigation.

Wrapping Up

The CSO role is an interesting top security executive role and offers a broader scope than the CISO role. CISOs looking to expand their remit should consider establishing credibility in the areas I’ve described above, but should also remember that most professional security certifications like the CISSP cover aspects of physical security as one of the knowledge based domains. If you don’t have a military or law enforcement background, two interesting certifications that can establish physical security credibility for CISOs are ISMA and ASIS. Lastly, CSOs will typically have responsibility for the CISO function (with the CISO reporting to them), but will also have additional remit in areas of physical security, executive protection, travel protection and corporate investigations. In my experience, the CSO role is more interesting because you get involved in all aspects of security for a company allowing you to channel your inner Arnold Schwarzenegger from Twins, while still retaining the option to flex your Danny DeVito (CISO) roots.

When Evaluating A New CISO Role Don’t Forget The SEC 10-K And Other Governance Forms

When evaluating a new CISO role it is common to do research on the company, industry, product line, etc., but an area that is often overlooked are SEC filings like the SEC Form 10-K and board committee charters. SEC filings and committee charters can offer a wealth of information about how a company views and governs key issues like cybersecurity and risk. In this post I’ll cover where to find key information, red flags to watch out for and other useful information that can be discussion topics during the interview process.

Finding The Right Forms

If you are new to reviewing SEC filings and corporate governance documents there are a number of places to find documents about corporate governance and how the company strategically views cybersecurity and risk. These documents will provide insight into who you may need to influence in order to execute a successful security program and it will also give you an implicit understanding of the priority the company assigns to cybersecurity issues. The two best places to find relevant forms are on SEC.gov (Edgar) or on the company’s own investor relations website.

SEC Forms

The most common SEC forms you will want to review when preparing for a new CISO role are the SEC Forms 10-K, 10-Q and 8-K.

10-K: The SEC Form 10-K is a comprehensive annual report filed by public companies. It has a wealth of information such as their financials, how they view the market, executive compensation and more. When considering a new CISO role definitely check out section 1 and 1A. Section 1 covers an overview of the business and section 1A covers macro risk factors (you may be asked to help mitigate these risks). Section 1 may also specifically call out cybersecurity governance and have details on the reporting structure, responsibilities, experience and methods for governing cybersecurity at the company. Also check out section 7, which will detail how management describes the company and can also have details on recent acquisitions or restructuring activities, which could continue to present a risk to the business.
10-Q: The SEC Form 10-Q is a comprehensive quarterly report filed by the public company. This will detail their quarterly results and will also provide any updates or changes to the sections I listed above – mainly section 1, 1A and section 7. Most of the time there won’t be any updates to these sections and they will refer back to the 10K, but it is still good to review the latest 10-Q available.
8-K: The SEC Form 8-K is a form companies must file to notify investors of major events. The biggest thing CISO candidates will want to review is if the company has had any material cybersecurity or operational incidents. However, if the company deems an event isn’t material it may not be in the 8-K and so it is a good idea to do a web search of the company as well.
Committee Charter Docs: The last set of documents to review are the committee charter documents. This will tell you how the board is structured, which can give you insights into what to expect if you take the role and give periodic updates to the board. The committee charter documents will also outline how they govern cybersecurity, risk and technology and the committee charter documents can give you implicit insight into how the company views the role of the CSO / CISO and cybersecurity.

How Should Cybersecurity Be Governed?

When reviewing the governance and committee documents of a public company, you may find cybersecurity discussed in different places. You should review these documents and also consider discussing cybersecurity governance during the interview process.

Audit committee

The audit committee is the most common committee to govern cybersecurity and risk at a public company. The challenge with placing cybersecurity and risk in the audit committee is the primary function of that committee is financial accuracy and integrity. Cybersecurity and risk are typically listed as “other functions”, which runs the risk of it not having the same priority as financial activities and the committee members may not have the right expertise to govern these functions. The typical executive experience of an audit committee member can be CEO, CFO or COO and these individuals typically aren’t experts in cybersecurity or risk. It isn’t the end of the world, but as a CISO candidate you should review the backgrounds of the audit committee board members and ask how they interact with existing C-Level executives when discussing cybersecurity, technology and risk. You may even want to ask to interview with one of the committee members before taking the job. The main goal is to make sure you are going to get the consideration, prioritization and support you need.

Tech and cyber committee

Aside from the audit committee, the other committee that governs cybersecurity and risk is the technology and cyber committee. However, the existence of this committee is currently non-standard at public companies even though it is considered best practice for corporate governance. If the company you are interviewing has a technology and cybersecurity committee consider yourself fortunate, but you should still do your own due diligence by researching the existing committee members and their backgrounds. Consider requesting an interview with one of these committee members (if it isn’t part of the interview process) to get their perspective on cybersecurity governance and issues at the company.

The challenge with placing cybersecurity and risk in the audit committee is the primary function of that committee is financial accuracy and integrity.

Other Cybersecurity Governance Aspects To Consider

There are a few other aspects to consider when reviewing corporate governance documents. These other areas can give you valuable insight into what is expected of you if and when you assume the role of CISO at the company. First, I recommend covering materiality during the interview process. Ask if the company has a process and if possible discuss their criteria for determining materiality of a security incident. Second, review and assess how often the board committee responsible for cybersecurity meets. This can give you an idea of how often you will be expected to present to the board and may even give you an idea of the topics that are discussed.

Red Flags

The whole point of reviewing these documents is to help you make an informed decision about what you are walking into if you take the role. There are few red flags you should look out for in these documents that should definitely be discussed during the interview to make sure you are clear on your role and expectations. These red flags may also help you when negotiating for things like severance, inclusion in the D&O liability policy or other concessions.

10-K & 10-Q

Remember, the 10-K and 10-Q will have a section on risks and the company may specifically call out cybersecurity risk as a macro issue they are concerned about. However, one red flag I would bring up for discussion is does the company address how they plan to manage these risks? Something as simple as “we plan to discuss and manage these risks inline with business priorities and expectations to minimize their impact” indicates they have at least given it some thought. Even better, if the company has a detailed section on risk and risk management that addresses how they plan to govern the company to address these risks. If the 10-K and 10-Q just list the risks, it may be an indication the company is paying lip service to cybersecurity or it could mean they are waiting for the right candidate to come in and develop a plan.

Experience Of Committee Board Members

Another potential red flag is the background and experience of the board members for the committee that governs cybersecurity and technology risk. Review their background, how long they have been serving on the board and when they are up for re-election. If the committee members have a strong technology or cybersecurity background you can expect to find an ally in the board room. If the committee members haven’t been technology executives you may find you have to change your message or do some education when reporting to the board. The SEC has indicated cybersecurity experience is necessary for the board to effectively govern risks, so if there isn’t clear experience, it is something to bring up in the interview for how and when the company is planning to address the experience gap.

Cybersecurity As Part Of The Audit Committee

I previously mentioned most public companies have cybersecurity listed as an additional function of the audit committee. This can be a red flag if the board doesn’t have committee members with technology experience, but can also be a red flag if the company views the CISO role and security program as more of a compliance function. The view of the board will be directly related to how much funding and support you are able to get from the rest of the company like the CEO and CFO.

Having cybersecurity and risk as part of the audit committee can also lead to a disconnect from the main security program. For example, if the audit committee treats security more as a compliance function, they may request a group that reports directly to them that audits the effectiveness of the corporate security program. This can lead to duplication of effort, cross purposes and mixed messaging at the board level. It can also undermine the authority of the CISO if the board is independently dictating security actions to the company outside of the main security program. However, having cybersecurity as part of the audit committee isn’t the end of the world and can actually lead to support from the board, but it will require additional effort and relationship management to make sure the board is supporting your program effectively. These are all topics you will want to explore during your interview.

Other SEC Filings

There are a few other areas you should review when conducting research for a new CISO position. I highly recommend reviewing recent 8-K filings and conducting internet searches to see if the company has reported any recent security incidents or breaches. If they have, you may be walking into a situation where they need immediate help to get back to a good state, but that support may wane after the urgency of the situation dies down. If you are considering taking a role that is walking into a post incident situation, be really clear on expectations and success criteria and try to build those into your employment contract.

The other area I recommend reviewing is recent or ongoing M&A activity. This will be listed in the 10-K or 10-Q filings for the company and it can give you some insight into what you may be walking into as a CSO / CISO. M&A activity is notorious for “closing the deal” and then sorting everything out later. As a CISO this means you could be inheriting a heterogenous security program or you may have to spend a significant amount of time up-leveling the acquisition to meet the standards of the rest of the company. There may even be extensive integration, standardization, etc. that needs to be completed. All of these are risks that you should be aware of when walking into a new CISO role.

Wrapping Up

When evaluating a new CISO role for a public company I recommend thoroughly researching the company as part of your evaluation process for the role. Familiarize yourself with their business model, the latest news articles, key members of the executive staff, board members and financial statements. If you have a strong CISO network I recommend reaching out to them and getting their perspective on the position. However, overlooked areas of research are the public company filings with the SEC and other investor relations documents that can give you more perspective on the company. It is particularly important to review these documents to get an idea of how the company governs cybersecurity and risk. These documents will also highlight potential red flags and discussion topics to explore during your interview. Thoroughly researching the company and the role will not only help prepare you for the interview process, but can also give you insight into how other public companies govern these issues so you can compare with your current position and make the best decision possible for your career.

Resources

SEC Search

DDN Discussion Of Cybersecurity Governance

Start Preparing For Your Next Role During Your Current Role

If there is one piece of advice I can pass on to anyone – it is don’t wait to start preparing for your next role. No matter where you are in your career, your job will constantly expose you to new things and those new things will change your perspective, give you experience and make you grow in ways you can’t anticipate. Embrace the growth, but also have the foresight to set yourself up for success no matter where your career takes you. This post offers several lessons learned about how to constantly position yourself for success and most importantly – don’t wait to prepare for your next role.

Start With The Interview

Preparing for your next role begins the second you start interviewing for your current role. The interview process is a time for both the company and the candidate to ask questions. The process will reveal areas of growth on both sides and candidates should embrace the areas they are less confident in or need to work on. This will set them on a path for mastering those skills and to be able to use their current role as a stepping stone to the next role. Candidates can also use the interview to ask how the company views the role evolving and what is the path for promotion (either title or job level)?

During the interview process or after landing the job, candidates should evaluate and learn the skills exhibited by their immediate manager or the senior member of their team. Have conversations with these individuals and make a list of skills you need to master if you were promoted to their role. The time to work on new skills is now, not when a role or promotion is offered. By that time it is too late! Whether you are aiming for a promotion, looking for a new job or if you get laid off and need to find a new position, don’t wait to prepare until you need a job because you will be behind the curve.

Get Certifications

If you are targeting a new role or promotion, look at the qualifications and certifications of individuals in those roles. LinkedIn is a great place to do research on what is needed for career progression. Evaluate the certifications, degrees and experience of people who have the job title you want. Also review job postings to see what companies are looking for. Certifications take time, money and effort so plan accordingly. If your company offers to pay for these certifications take full advantage and build it into your performance goals. Make a plan to obtain the necessary certifications and qualifications so you can position yourself and effectively compete for the role you want.

Demonstrate Expertise

In addition to certifications you also need to demonstrate expertise. When doing your research about your next job, don’t just look at the job title. Look at the skills they require, the company size and the industry. Learn the skills, learn about the company and learn about the industry they operate in. Demonstrate expertise in these areas by writing blog posts, submitting conference talks, participating in local chapter events or participating in a podcast. You can even use popular social media platforms to generate your own content. The point is to build up a body of work that demonstrates your knowledge and most importantly to create an independent profile, separate from your job that represents who you are and what you can do. Think of it as a living resume.

Network

Networking continues to be one of the most powerful ways to advance your career. Attending conferences, chapter meetups, get togethers, and other social events puts a face to a name and builds rapport. This can be invaluable when looking for your next job, but just like everything else it takes time and effort to network.

Outside of the meetups, there are a few other recommendations I have for networking. First, don’t target the people that have the job you want, target the people that hire for the job you want. For example, if you want to be the CISO at a publicly traded company, do research on who the current CISO reports to and then figure out a way to connect with that person so you are on their radar. Second, make a list of companies that you would like to work for and research people at those companies. Start connecting and networking with those people either virtually or physically. Ask for a quick intro call to introduce yourself and learn about their role. Lastly, connect with recruiters that hire for the position you are targeting. Set up an intro call to get their perspective on the market and how you can position yourself better. This will put you on their radar as a candidate when new positions come their way. This all takes time and effort, but if you set a small goal to meet one new person a month, this can quickly lead to a lot of new people in your network by the time you are ready to make a move.

Don’t target the people that have the job you want, target the people that hire for the job you want.

Challenge Yourself

My last piece of advice is to constantly challenge yourself. First, expand your experience by learning about different aspects of the business that will help you to be successful in your next role. Learning about other aspects of the business such as finance, HR, product, sales, engineering, etc. will make you more effective in your current role and give you valuable experience for your next role. It will also generate empathy on both sides, which can pay dividends towards making your next security project a success.

Second, don’t focus on team size. Instead, focus on scope and impact of your role. You may think it is better to have an extremely large team, and while this can be good experience, it doesn’t really tell people anything about what you accomplished. Instead, focus on developing and articulating the scope and impact of your role. For a CISO and the security organization, this means becoming a trusted advisor for the rest of the business and translating your successes into career highlights.

This brings us to the last piece of advice I have, which is to keep a running “brag sheet” of your accomplishments. As you progress in your current role, write down your accomplishments and the things you learn that can be useful in future roles. Continually update your resume and social media profiles to capture these achievements so you don’t have to try and remember them when a new opportunity presents itself. Keeping your resume continually updated means it will be fresh and ready to go when a recruiter reaches out or your dream role opens up.

Wrapping Up

The biggest thing you should take away from this post is to continually improve yourself by gaining experience and credentials that will be useful in your next position. Have the foresight to think about your current position and the moves it will take to get you to your dream role. Start planning for that role today because it takes time to build up the right skills, credentials and expertise for your next job.