Tag: #career

Navigating The First 90-180 Days In A New CISO Role

Late one Friday afternoon a call comes in and you find out you landed your next CISO role. All the interview prep, research, networking and public speaking has paid off! Then it dawns on you that you could be walking into a very difficult situation over the next few months. Even though the interview answered a lot of questions, you won’t know the reality of the situation until you start. How will your expectations differ from reality? What can you do to minimize risk as you come up to speed? How should you navigate these first 90-180 days in your new role?

Prior To Starting

Let’s assume you have some time to wind down your current position and you are also going to take some time off before starting the new role. During this transition period I highly advise you reach out to your peers in the new role and start asking questions to get more detail about the top challenges and risks you need to address. Start with the rest of the C-Suite, but also get time with board members and other senior business leaders to get their perspectives. Focus on building rapport, but also gather information to build on what you learned during the interview process so you can hit the ground running.

You can also use this time to reach out to your CISO peers in your network who are in the same industry, vertical or company type to get their perspective on what they did when they first joined their company. Learn from their experience and try to accelerate your journey once you start. Keep the lines of communication open so if you run into a situation you are unsure of you can ask for advice.

Once You Start

Build Relationships

First and foremost, start building relationships as quickly as possible. Target senior leadership first, such as board members, the C-Suite and other senior leaders. Work your way down by identifying key influencers and decision makers throughout the org. Play the “new person card” and ask questions about anything and everything. Gain an understanding of the “operational tempo” of the business such as when key meetings take place (like board meetings). Understand the historical reasons why certain challenges exist. Understand the political reasons why challenges persist. Understand the OKRs, KPIs and other business objectives carried by your peers. Learn the near and long term strategy for the business. Start building out a picture of what the true situation is and how you want to begin prioritizing.

Understand the historical reasons why certain challenges exist. Understand the political reasons why challenges persist.

Plan For The Worst

Don’t be surprised if you take a new role and are immediately thrown into an incident or other significant situation. You may not have had time to review playbooks or processes, but you can still fall back on your prior experience to guide the team through this event and learn from it. Most importantly, you can use this experience to identify key talent and let them lead, while you observe and take notes. You can also use your observation of the incident to take notes on things that need to be improved such as interaction with non-security groups, when to inform the board, how to communicate with customers or how to improve coordination among your team.

Act With Urgency

Your first few months in the role are extremely vulnerable periods for both you and the company. During this period you won’t have a full picture of the risks to the business and you may not have fully developed your long term plan. Despite these challenges, you still need to act with urgency to gain an understanding of the business and the risk landscape as quickly as possible. Build on the existing program (if any) to document your assumptions, discoveries, controls and risks so you can begin to litigation proof your org. Map the maturity of security controls to an industry framework to help inform your view of the current state of risk at the company. Begin building out templates for communicating your findings, asks, etc. to both the board and your peers. Most importantly, the company will benefit from your fresh perspective so be candid about your findings and initial recommendations.

Evaluate The Security Org

In addition to the recommendations above, one of the first things I like to do is evaluate the org I have inherited. I try to talk to everyone and answer a few questions:

  1. Is the current org structure best positioned to support the rest of the business?
  2. How does the rest of the business perceive the security org?
  3. Where do we have talent gaps in the org?
  4. What improvements do we need to make to culture, diversity, processes, etc. to optimize the existing talent of the org?

Answering these questions may require you to work with your HR business partner to build out new role definitions and career paths for your org. You may also need to start a diversity campaign or a culture improvement campaign within the security org. Most importantly, evaluate the people in your org to see if you have the right people in the right places with the right skillsets.

A Plan Takes Shape

As you glide past the 90 day mark and start establishing your position as a trusted business partner, you should arrive at a point where a clear vision and strategy is starting to take shape. Use the information you have gathered from your peers, your program documentation and your observations to start building a comprehensive plan and strategy. I’ve documented this process in detail here. In addition to building your program plan you can also begin to more accurately communicate the state of your security program to senior leaders and the board. Show how much the existing program addresses business risk and where additional investment is needed. I’ve documented a suggested process here. Somewhere between your 90 and 180 day mark you should have a formalized plan for where you are over invested, under invested or need to make changes to optimize existing investment. This could include restructuring your org, buying a new technology, adjusting contractual terms or purchasing short term cyber insurance. It could even include outsourcing key functions of the security org for the short term, until you can get the rest of your program up to a certain standard. Most importantly, document how you arrived at key decisions and priorities.

Take Care Of Yourself

Lastly, on a personal note, make sure to take care of yourself. Starting a new role is hectic and exciting, but it is also a time where you can quickly overwork yourself. Remember building and leading a successful security program is a marathon not a sprint. The work is never done. Get your program to a comfortable position as quickly as possible by addressing key gaps so you can avoid burning yourself out. Try to establish a routine to allow for physical and mental health and communicate your goals to your business partners so they can support you.

During this time (or the first year) you may also want to minimize external commitments like dinners, conferences and speaking engagements. When you start a new role everyone will want your time and attention, but be cautious and protective of your time. While it is nice to get a free meal, these dinners can often take up a lot of time for little value on your end (you are the product after all). Most companies have an active marketing department that will ask you to engage with customers and the industry. Build a good relationship with your marketing peers to interweave customer commitments with industry events so you are appropriately balancing your time and attending the events that will be most impactful for the company, your network and your career.

Wrapping Up

Landing your next CISO role is exciting and definitely worth celebrating. However, the first 90-180 days are critical to gain an understanding of the business, key stakeholders and how you want to start prioritizing activities. Most importantly, build relationships, act with urgency and document everything so you can minimize the window of exposure as you are coming up to speed in your new role.

Navigating The CISO Job Market

I had an interesting conversation with a friend over coffee last week and we were discussing how weird the CISO job market is right now. Even though the unemployment rates are favorable, the tech sector has actually seen slightly negative employment growth rates, which is not normal. This is largely due to a hangover effect from record hiring during COVID, but there are also other issues in the market right now that is making it challenging. The following is a review of all the things I am seeing in the tech job market right now, particularly with respect to hiring for CISO positions.

Macro Tech Environment

Let’s take a step back and look at the overall economy to understand some of the higher level factors influencing the CISO job market. First, let’s look at one end of the tech market starting with large companies. Over hiring and high compensation packages from COVID have made existing employees stay in place and so natural turnover at public companies is below average. In addition to this, fears of a recession and high interest rates have made large companies cautious about hiring new employees. When the cost to borrow money is higher, it slows growth and ultimately impacts hiring. As a result, companies are trying to get back to growth through layoffs and attrition. They are trying to artificially increase attrition by withholding bonuses, pay raises and promotions, or requiring new job requirements like return to office 4 or 5 days a week.

Second, at the other end of the market, higher interest rates impact Venture Capital (VC) and Private Equity (PE), which ultimately impacts funding for startups and subsequent job creation. With the smaller end of the market being squeezed (VC / PE) and the larger end of the market also being squeezed there aren’t a lot of options for candidates to go. Compound this with record tech layoffs over the past year and an influx of new college grads to the job market and you create a highly competitive market.

Too Much Noise

The highly competitive job market is making job candidates seeking employment and existing CISOs seeking career growth (or a change) compete with each other. The competition is causing candidates to get desperate and apply to any job that sounds sounds remotely interesting, regardless of whether or not they are qualified for the role. This is also compounded by unrealistic career expectations from past promotions, boot camps and college campuses that make people think they can qualify for the top spots, despite lacking meaningful experience. Add in how easy LinkedIn and other jobs sites have made it to apply for jobs and the net effect is to create tons of noise for recruiters and drown out qualified candidates.

I spoke to a recruiter a few weeks ago who had a job posting up for 24 hours and received thousands of applicants, of which only a handful were qualified and advanced to the interview process. Due to the volume of unqualified applicants, recruiters are only pushing through the first handful of qualified candidates and are passing on the rest of the backlog. Of all these applicants the only candidates who are getting to the first round interview phase are direct referrals.

In addition to too much applicant noise, recruiters are also finding a high number of candidates that are mis-representing themselves. Recruiters and hiring managers aren’t stupid. They can read between the lines of your career history and discern what you were really doing. If you claim to be a CISO, yet have never held more than a manager level job, then you are mis-representing yourself. The reality is, recruiters want to get paid on placing the top candidates. They are unwilling to put someone forward for a top spot that can’t back up their resume. Top candidates can not only defend their experience, but have lots of direct and indirect network connections that can vouch for them as referrals, if needed. The CISO community is a small one and people know who is the real deal and who is faking it. The sad reality is, people who mis-represent themselves are only hurting themselves by artificially placing themselves in a higher, more competitive tier than they are qualified for and as a result will never land that top spot.

Companies Are Being More Strict

High interest rates, tight budgets and a noisy applicant process mean companies are being more strict with their job requirements. More top CISO positions are requiring candidates to be on site at the corporate headquarters location at least 4 days a week. Companies are also searching globally, but hiring locally by giving preference to local candidates they don’t have to relocate and also preference to internal candidates that cost less than a retained search. CISO salaries have also slowed or stagnated with only the top spots paying top salaries. The rest are paying mid-range or low balling candidates in an attempt to get a qualified applicant at a lower price. On top of this, companies are also being more strict with degree requirements (usually a Masters for CISOs), years of experience and certifications. They are also filtering out candidates with lots of job hopping and short career stints because even though you may have carried the CISO title, it is highly unlikely you accomplished anything meaningful if you were there for less than 18 months.

The only candidates who are getting to the first round interview phase are direct referrals.

Be Cautions

Lastly, there are a few other issues that are disrupting the job market. The first is fake job postings. There are more and more reports of fake job postings that entice applicants, but are really out to steal their personal information. Be cautious and use your network to validate the postings if you are interested in applying for a CISO role (this comes back to direct referrals also).

Second, companies are leaving zombie positions out there to give the impression they have open roles, when they really don’t. They are doing this for a few reasons – they want the market and their employees to think they are hiring and growing even when budgets are tight and companies are trying to cut headcount. If you see a job posting out there for more than a few days, it is highly likely it is a zombie posting.

The last issue I want to highlight is how job sites mis-represent numbers to entice companies to spend money with them, while hurting applicants. I’m specifically referring to how LinkedIn and other job sites show metrics on “number of applicants” for job postings, when in reality these are only the number of people that have viewed the posting, not applied. I mention this because I have seen a number of posts from people who have expressed interest in a role, but have been discouraged by the “number of applicants” and as a result didn’t apply.

Maximizing Your Opportunity

Now that you understand what is going on with the job market, let’s discuss what you can do to maximize the likelihood you will land that interview and get the job.

  1. Invest in yourself – take this time to get certifications, degrees, etc. that make you competitive and demonstrate constant learning and knowledge. Invest in yourself while looking for a new role.
  2. Invest in your network – do a deep dive on your network. LinkedIn makes it easy to download your list of connections and sort them my company, degree of connection, etc. Use this analysis to understand where you have connections and where you don’t. Look for people that can connect you to individuals that hire for positions you want at your targeted companies. Find ways to meet with these people. Do the same for recruiters. Build these connections before you need them because it is always better to be a live person than a random InMail on LinkedIn.
  3. Update your resume and LinkedIn – Seriously, if you don’t know how then ask someone or pay someone. First impressions matter.
  4. Practice interview questions – Write down key accomplishments and the details for how you achieved them. Think of your weaknesses and how you turn those into strengths. Ask your network for recent interview questions and develop answers. Preparation matters and will pay off during the interview process.
  5. Stop blasting your resume into the ether – If you see a role you want to apply for, poll your network to see if you know anyone at the company or if your network knows someone at the company. Get your resume directly into the hands of the recruiter or hiring manager. Direct referrals are the only reliable way to get an interview.
  6. Get focused – Have you been attending a lot of networking events lately in the hope of meeting someone who is hiring? Consider the value of all the “networking” activities you are doing. As a single person you can’t scale to attend every event that is out there so you need to be targeted. Consider the audience of who is attending and consider the value of the event. If you are attending events that are also attended by all of your competition then you probably aren’t going to land your next job there. Instead, consider all the events and networking groups in your area, which one’s have the most likelihood of putting you in front of people that hire for your role and focus on maximizing the potential of those events.
  7. Stop directly asking people for jobs – there is no faster way to end a conversation or relationship than asking someone for a job they don’t have. Instead, if you have the opportunity to make an ask of someone, ask them to connect you with someone they know may be looking for someone with your background. Take the pressure off of them, keep the connection alive and expand your network at the same time.
  8. Consider staying put – the tech sector seems to lag what the overall economy is doing by a few years. If the tech sector is contracting it will eventually expand and get back positive employment rates. This can also give you time to build your credentials, while looking for the ideal next step.

Should CISOs Be Technical?

Don’t want to read this? Watch a video short of the topic here.

There are a lot of different paths to becoming a CISO and everyone’s journey is different, however two of the most common paths are coming up through the technical ranks or transitioning over from the compliance function. Coming up through the technical ranks is common because cybersecurity is a technically heavy field, particularly when attempting to understand the complexities of how exploits work and the best way to defend against attackers. Coming up through the compliance ranks is also common because companies are often focused on getting a particular compliance certification in order for them to conduct business and interact with the customers. Each of these paths offers advantages and disadvantages, but I will argue being technical is more challenging than some of the softer cybersecurity disciplines like compliance, which leads to a common question – do CISOs need to be technical?

Yes, but…

If you don’t want to read any further the short answer is yes, CISOs need to be technical. The longer answer is, being technical is a necessary, but insufficient characteristic of a well rounded CISO. The reason being technical is insufficient is because for the past few years the CISO role at public companies has been transforming from a technical role to a business savvy executive role. CISOs are expected to report to the board, which requires speaking the language of business, risk and finance. I have seen CISOs quickly lose their audience in board meetings when they start talking about tooling, vulnerabilities and detailed technical aspects of their security program. CISOs need to be able to translate their security program into the language of risk and they need to be savvy enough to weave in financial and business terminology that the board and other C-Suite executives will understand.

Obtain (and maintain) A Technical Grounding

Even though being technical is no longer sufficient for a well rounded CISO it is important for a CISO to obtain or maintain a technical grounding. A technical grounding will help the CISO translate technical concepts (like vulnerabilities and exploits) into higher level business language like strategy, risk or profit and loss (P&L). It is also important for a CISO to understand technical concepts so they can dig in when needed to make sure their program is on track or controls are operating effectively. Lastly, it is important to maintain technical credibility with other technical C-Suite stakeholders like the CTO and CIO. Speaking their language will help align these powerful C-Suite members with your security program, who can then lend critical support when making asks for the rest of the C-Suite or board.

What other skills does a CISO need?

In addition to a technical grounding, there are a number of skills CISOs need to master in order to be effective in their role. The following is a short list of skills CISOs need to have in order to be successful at a public company:

  • Executive presence and public speaking skills with the ability to translate security concepts into business risk that resonates with senior executives and the board
  • Ability to lead and communicate during a crisis
  • Politically savvy, with ability to partner with and build alliances with other parts of the business
  • Ability to understand the core parts of the business, how they operate and what their strategy is
  • Ability to explain the “value” of your security program in business and financial terms
  • Strong understanding of financial concepts such as CAPEX, OPEX, P&L, budgeting and ability to understand balance sheets, earning results and SEC filings
  • Understand and navigate legal concepts (such as privilege), regulations and compliance activities with the ability to map these concepts back to your security program or testify in court (if needed)
  • Ability to interact with auditors (when needed) to satisfy compliance asks or guide responses
  • Ability to interact with customers to either reassure them about the maturity of your security program or act as an extension of the sales team to help acquire new customers
  • Interact with law enforcement and other government agencies, depending on the nature of the business

If this seems like a long list that doesn’t fit your concept of what a CISO does, then you may have some weaknesses you need to work on. This list also reflects the evolving nature of the CISO role, particularly with respect to board interaction and leadership at public companies. More importantly, a lot of these concepts are not covered in popular security certifications and you definitely won’t get all of this experience from start ups or non-public companies. That is ok, because recognizing and acknowledging your weaknesses is the first step to becoming a better CISO.

Are Security Certifications Worth Renewing?

Almost weekly I see someone post a question on social media asking: “Is renewing my security certification worth it?” This is a valid question since security certifications are often expensive, time consuming and hard won. Maintaining your security certification may be required to land a new job, but not required to continue in the role. At the end of the day the question people are really asking is: “Is the continued expense of this certification worth it after I’ve landed the role I’m after or achieved my career objectives?” In this post I’ll explore the pros and cons of renewing a security certification and wrap up with my specific recommendation for those of you looking for guidance.

Getting Certifications

There are a number of popular security certifications that can demonstrate general or specific expertise. Some of the most popular are:

  • CISSP
  • CISM
  • CEH
  • Security+
  • CISA
  • CCSP

Along with the variety of certifications there are different ways to earn a certification. The least expensive and most time consuming is to purchase the course material, self study and then sit for the exam. The most expensive and least time consuming is to attend a boot camp and then test for the exam on the last day. If you are lucky your employer will pay for or reimburse the expense of the certification. No matter which way you go, there is a material cost in terms of dollars and time. This cost can make people reluctant to let certifications expire because the certifications have a high barrier to entry, but a (relatively) low maintenance cost.

Pros To Renewing

One of the main reasons to continue to maintain your certification is because they are required by some job roles in order to be hired and perform the role. One example of this is in the U.S. Government Department of Defense (DoD) 8570 Approved Baseline Certifications. The 8570 specifies “Personnel performing IA functions must obtain one of the certifications required for their position, category/specialty and level to fulfill the IA baseline certification requirement.” So if you want the job, and want to keep the job, then you need the certification.

In addition to job requirements, maintaining an active certification gives the impression of having expertise in a particular area. Demonstrating expertise is useful when speaking, consulting, providing legal testimony or simply cementing your position as an expert in the field of security. Expertise is useful when trying to land a new role or get a promotion. This can also be useful to limit personal liability if you can demonstrate you followed the best practices indicated by the certification. Maintaining a certification and this expertise is arguably a low cost, low effort activity with a lot of upside and not a lot of downside. Even though there is a dollar cost for renewal, this is a minor amount compared to the overall expense or time invested in getting the certification in the first place.

One final reason to maintain your security certifications is because it demonstrates you have a baseline level of knowledge as indicated by the certification. When you were studying and testing for the certification you were learning new concepts and confirming mastery of other concepts. This can be useful to validate your expertise, but also to demonstrate to others that you have mastered these concepts and can operate at the same level as other individuals that have the certification. This goes beyond demonstrating expertise in that is establishes a baseline of knowledge for security practitioners in the field and this is why employers often list specific certifications on job descriptions.

Cons To Renewing

Even though there are a number of benefits to maintaining a certification, there are also a lot of cons.

First, there is the obvious annual cost for renewing the certification. Not only is there a dollar cost, but there is also usually a time cost in the form of continuing education credits that have to be earned and submitted throughout the year. The idea is to drive engagement in the security community by requiring these continuing education credits, but in my opinion this has had mixed results. For anyone on the fence about renewing a certification the time and dollar cost can be the breaking point where it no longer makes sense to continue to invest in something that isn’t demonstrating continued value.

Speaking of continued value, what are you really getting by spending time on continuing education and paying the renewal fee? You get the privilege to list the certification on your resume, but you’ve already gained the knowledge and passed the test. Renewing doesn’t typically require another test so is there really continued value (assuming you aren’t required to maintain it for your job)? The value is questionable if it isn’t required and so it can be difficult to justify maintaining.

Another downside to maintaining the certification is the continuing education credits. There are a number of low cost or free ways to earn credits, but it can be difficult or almost impossible to get to the required number without spending money. This is a con in my opinion because renewing the certification is perpetuating additional expenses such as more certifications, attending more conferences or other expenses just to earn enough credits. This means even though there is a low renewal cost, there can be a really high dollar or time cost to earn enough continuing education credits to maintain the certification.

In the pros section I listed the DoD 8750, which requires certain certifications to obtain and perform certain roles. However, requiring certifications for a job can also have a downside by eroding the exclusivity of the certification. This happened to the MCSE in the late 90’s and early 2000’s when everyone wanted an MCSE because it paid really well. However, soon everyone had it even if they weren’t doing the job and the MCSE became useless. It was no longer a good barometer for demonstrating expertise because so many non experts had it. Some security certifications are the same way and the DoD 8570 (or other employers) can contribute to this erosion of exclusivity if the people earning the certification are simply getting it to fill the role instead of becoming experts in the field.

One last con for renewing certifications is you may no longer be doing the type of job that requires the certification. In the past I held the GCIH, GREM and GPEN certifications, but I no longer do those hands on activities so it doesn’t make sense for me to maintain those certifications. If your career has taken you on a different path, then you no longer need to maintain the cert. Also, I will argue your job title can be more useful to demonstrate expertise than a certification. This isn’t always the case and this can sometimes be difficult to tease out with discretionary titles, but generally if you have carried the CISO or CSO title in some capacity do you really need to maintain an active certification? I’ve seen several individuals list their expired certifications on their resume, which continues to demonstrate the expertise, but without the added expense.

My Recommendation

If you are on the fence about whether or not to renew your security certification here is a simplistic flow chart for helping you with the decision. Feel free to recreate and add your own additional criteria as necessary.

My particular recommendation is as follows: if you want to maintain the credibility, demonstrate expertise, are still doing the job and can afford the renewal cost (both time and dollar), then renewing is typically not too expensive and worth it. I am also seeing a lot of job descriptions require active certifications so if you are about to job hunt or at risk of getting laid off then maintaining your certifications is a good idea. If you are no long doing the job, don’t need the credibility or expertise and the certification isn’t required by your job then I suggest no longer renewing and focusing on other areas. In my case, I have dropped most of the specialist certifications, while maintaining the generalist certifications in line with my role.

Accelerate Your CISO Career By Investing In Your Brand

When I was in the military there was a single consistent phrase that was repeated to us over and over again – reputation matters. Even though the military is a large organization, your specialization creates a small group and so how you perform and behave will stay with you throughout your career. This concept is no different from the security industry. How you demonstrate expertise, how you present yourself publicly and how you engage with the rest of the industry all contribute to your reputation. In this post I’ll explore why reputation is so important, activities that can contribute (or detract) from your reputation and how your reputation can accelerate your career.

Your Reputation Is Your Brand

Social media has made it extremely easy to have an online presence and it is easy to contribute to your profile using your device of choice. Sites like LinkedIn, WordPress and Medium have made it possible to have a digital resume documenting your career history, expertise and daily interactions with others. All of these interactions contribute to your reputation and ultimately your brand. But, what is brand and what does it mean to have a brand? Let’s dig into this.

What Is Brand?

Your brand is your reputation, but it is also broader than that. Reputation is whether individuals and your community view interactions with you in a positive or negative way. You reputation is a reflection of trust, credibility and reliability (or lack thereof). Brand is an extension of this foundation of trust. It is how you externally market yourself to people inside and outside your community and can be viewed as taking an active role in managing how people view you.

Why Should I Care About My Brand?

Whether you like it or not you have a brand. If you use the internet, play video games or use free services (like Gmail) you are discoverable on the internet. You should care about your brand because if you don’t actively manage how you are perceived, then you could be perceived in a negative way. Another way to think about brand is: there is a conversation happening around you whether you like it or not. Participating in and leading that conversation is going to be beneficial and advantageous to your brand (otherwise someone will do it without you).

Furthermore, if you aspire to land a top CISO position at a public company you can expect the company to research your background using publicly available sources like LinkedIn. They will do this not only to determine if you are a good fit for the role, but also as a way to understand and manage their brand and reputation. They don’t want to hire someone who has a bad reputation, whose viewpoints don’t match with their culture or could be a liability to the company.

Unapologetically Build Your Brand

Let’s talk about ways to build your brand. First, the nature of our business can make security professionals reluctant to talk about themselves, but you need to set aside the notion that there is something wrong with promoting yourself. You are your own best cheerleader and no one knows about your strengths, accomplishments or expertise better than you. You are your own best advocate and you should embrace your role as lead brand ambassador.

I regularly see people on social media disparaging the notion of self promotion. They claim people who self promote are merely influencers and not actual practitioners of the role. This is completely false and you need to ignore this type of negativity. Some of the best practitioners constantly promote themselves (like Bruce Schneier and Brian Krebs) as a way to build their brand and demonstrate expertise.

Separate Your Brand From Your Company

Second, it is important your brand is separate from your company. Unless you own your own company, don’t fall into the trap of parroting all of the marketing material of the company you work for. The reason why you don’t want to do this is because you will work for different companies over the course of your career and if you tie your brand to your company, your brand could evaporate overnight if you change companies. Additionally, only posting about your company and current role will limit your ability to demonstrate expertise in a broader context. This means you could be viewed as unqualified for roles that require a broader skillset, larger scope or different industry.

Actively Manage Your Brand

Third, actively manage your brand by regularly doing an internet search of yourself to see how others may view you. If you see articles, podcasts, pictures, references, etc. that don’t align to the brand you are trying to cultivate, then follow the appropriate steps to request to remove those things from search or from the site hosting them. Your brand will evolve as your career evolves and there is nothing wrong with curating older content that no longer aligns to the current vision you have for yourself.

Building Your Brand

Brand is a tricky thing and as one of the people on my team likes to say: “reputation arrives on foot and leaves on horseback.” I equate brand and reputation to holding a baby bird – if you don’t hold on it will fly away, but if you hold on too tight you will crush it.

There are a lot of things you can do to build your personal brand starting with your personal vision. If you aspire to be a CISO at a public company then you need to model yourself after someone in that role. Having a good mentor is essential to identifying and understanding your current strengths and weaknesses so you can begin to model and demonstrate the skills, behaviors and expertise of the role you want.

Second, you need to demonstrate expertise and credibility for the role you aspire to achieve. Getting certifications is good, but certs aren’t enough. You need to participate in industry events like chapter meetings, conferences, round tables and networking events. It also means actively participating in the industry in a public way. Showing up at the aforementioned events isn’t enough, you need to actively participate and have a voice. Actively participating in the industry can consist of submitting a conference talk, giving a talk at your local chapter event, starting a blog or even just adding insightful comments on LinkedIn. The point is your active participation will establish your voice and begin to establish your brand, reputation, credibility and expertise.

Most importantly, be consistent. Don’t just show up when you need something or when your dream job opens up, but that time it is too late. You need to have a history of consistently contributing and demonstrating expertise. Being consistent also means following through and executing on your commitments. If you say you are going to do something, then do it. Your ability to execute and follow through will resonate with everyone you interact with, so being consistent is incredibly important for building a positive brand.

Think of your brand as a never ending resume. If companies or people search for you then they should be able to get some idea of who you are, what expertise you have and how you think as a CISO. The breadth of your brand should cover all conceivable topics a CISO may be asked to perform such as leadership, operations, compliance, board interactions, technical evaluations, etc. This expertise needs to be applicable to a variety of industries and companies to maximize your brand potential and maximize your ability to land your next role.

Destroying Your Brand

Positive interactions through conversations, posts, talks, etc. are the best way to build your brand, but it is even easier to destroy your personal brand. Here are a few things I’ve seen that can cause a negative reflection on your brand.

Negative Interactions

Trolling folks on social media or negatively interacting with people is a quick and easy way to impact your brand. People don’t want to be around someone that is negative, gate keeps the industry or consistently tears people down. A quick way to evaluate if your interactions are negative is if people are liking your comments or positively engaging with you. If you aren’t getting engagement or follow up to your posts you may want to re-think your approach. An easy way to measure your brand is by number of followers, connections, views or likes (depending on the platform). If you aren’t seeing this number grow you probably need to rethink your approach.

Misrepresenting Yourself

Another way to impact your brand and reputation is by mis-representing yourself. This can harm your brand in a few ways – first, it is easy for folks to determine if you really can do the things you say. If you don’t have the expertise, but claim you do, people will know and begin to avoid you. Second, the security community is a small one and mis-representing yourself will trickle around to others and inhibit your ability to get onto the shortlist for the biggest roles. The top roles usually involve a lot of back channeling to understand who will be the best candidate. Misrepresenting yourself is a quick way to get taken off the short list of candidates. Lastly, misrepresenting yourself not only causes noise for the rest of the community, but directly relates to the previous paragraph of negative interactions. A lot of times the most bizarre or negative interactions I have seen are coming from people that claim they have expertise, but clearly don’t. Your title, byline, profile summary, etc. all contribute to your brand and reputation. It is ok to be open and honest that you aspire to be a CISO, but claiming you have had a title you haven’t will directly harm your personal brand.

Oversharing

This is a tricky one to navigate, especially in our digital world, but oversharing can be viewed negatively, which will ultimately harm your personal brand. Remember, companies are going to research you and if your posts are consistently inappropriate, demonstrate questionable behavior or air dirty laundry about your life, then this can harm your personal brand and reputation. Posts like this are fine for social media sites that are designed for family and friends, but you may want to steer clear of posting these things on professional sites like LinkedIn. If you are pursuing a top level CISO position consider making your personal social media sites private and only viewable by family and friends. Similarly, clean up your professional sites like LinkedIn by removing questionable posts, comments, etc. A good guideline for LinkedIn is treat it like you are at the office – politics, personal health issues, controversial topics, etc. are best left for private conversations at home.

Hyperbole (The Sky Is Falling)

Another way to harm your personal brand is by constantly posting hyperbole. If you are constantly claiming the sky is falling due to a new vulnerability, new technology, new risk, etc. that can detract from your personal brand. You will quickly become part of the background noise instead of part of the conversation. Instead, add your own flavor or context for how folks should navigate the issue you are posting about to establish credibility and expertise.

Bad Headshots

One final aspect that can harm your personal brand is a bad headshot. Cameras are so good these days that there is really no excuse for a poor headshot. Bad lighting, selfies in a car, pics that clearly have family / friends cropped out are all conveying a poor impression to companies and connections. If you aren’t going to invest in yourself why should they invest in you? Do a little research on how to set up a good headshot and use the portrait mode on your phone to take a decent headshot. Find people on social media that have headshots you admire and try to mimic those. Even better, pay the money for a decent headshot. They will last a few years and speak volumes to potential companies and recruiters. Headshots are your first impression to employers and so they should convey the appropriate level of professionalism for the CISO role you are aspiring to land.

Wrapping Up

Your reputation and brand are important to establish credibility and expertise that you are qualified for a top CISO role. If you aspire to be a top CISO at a public company your brand is a must have to get onto the short list of candidates. Companies research top candidates and rarely hire unknowns into top roles. Establishing a brand for how you think and what you are good at will help demonstrate you are qualified for these roles and differentiate you from other candidates. Build your brand by being consistent, positive and demonstrating breadth. Get a mentor, work on skills and take a decent headshot. Consider your brand like a never ending resume that is difficult to build, but easy to destroy. Actively taking control of your brand will help establish not only how people interact with you, but how they remember. You never know…the next person that remembers you could want you for their open CISO role.

Whats The Difference Between A CSO and CISO?

Like Arnold Schwarzenegger to Danny DeVito in the movie Twins, the Chief Security Officer (CSO) role is the big brother to the Chief Information Security Officer (CISO) role. What is the difference between these two roles and what skills does a CISO need to focus on if they aspire to become a CSO? In this post I’ll explore the role of the Chief Security Officer (CSO) and what additional responsibilities the role covers when compared to the CISO role.

Big Brother

Lately, there has been a lot of focus on the Chief Information Security Officer (CISO) role following the new SEC guidelines, recent ransomware attacks and supply chain security vulnerabilities (XZ). There can be a lot of different titles for the top security executive at a public company, but the two most common titles for a public company are Chief Information Security Officer (CISO) and Chief Security Officer (CSO). The Twins movie is a good analogy to describe the relationship between the CSO and CISO because in the movie Arnold protects Danny DeVito by helping him avoid trouble, while Danny is super scrappy and shows Arnold how the real world works. They complement each other, protect each other and help each other. One is the overall leader and one has a great hustle.

What the Twins analogy highlights is the main difference between a CSO and CISO is scope. A CSO typically has a bigger scope than a CISO. A CISO will have responsibility for all of the information and technology assets of a company, but a CSO will have this responsibility and additional responsibilities for physical security, executive protection, corporate investigations and other non-information technology based security domains. In fact, for public companies that have an established CSO role, it is typical for the CISO role and function to report to the CSO as one overall security function. Let’s dig into some of the additional functions of a CSO.

Like Arnold Schwarzenegger to Danny DeVito in the movie Twins, the Chief Security Officer (CSO) role is the big brother to the Chief Information Security Officer (CISO) role.

Physical Security

One of the biggest responsibilities for a CSO is physical security. Physical security includes site security for offices and the physical security of the personnel working at the facilities were the company operates. This can include things like cameras and video monitoring, badging systems, security and fire alarm systems, safes, locks, lighting, parking and loading docks, contractor access, mail and package security, bollards and traffic control, security guards and gates, fencing, fire suppression and other physical environment aspects. Depending on the nature of your business, this could also involve supply chain security of manufacturing facilities and components, or even critical infrastructure. It can also include tempest and RF control, including design and management of classified spaces.

One interesting aspect of physical security is to work with construction companies or physical security consulting firms to design and assess the security controls of your facilities. Books like Red Cell by Richard Marcinko offer an interesting historical perspective of how the military physically tests the security of their military installations and public companies should similarly consider an annual or periodic review of their physical security for weaknesses and risks.

If your company is involved in manufacturing, another interesting aspect of physical security is supply chain security and logistics. This is ensuring your products are manufactured securely and aren’t tampered with during the manufacturing process. It can also include assessing the security of component manufacturers, assembly plants and even shipping and logistics companies to make sure your products arrive to your customers and are functioning securely.

Lastly, another aspect of the CSO’s physical security responsibilities is interfacing with local and federal law enforcement for trends, threats and dealing with physical disruptions at your places of business like the recent examples of protests at Google offices.

Executive & Travel Protection

Another responsibility of the CSO, which is related to physical security, is executive and travel protection. Executive and travel protection covers how to physically protect your top executives from threats when they are in public, traveling, at their offices or at their homes. This can include arranging trusted transportation, route planning, on site security surveys, sending advanced teams ahead of the execs, kidnap and ransom insurance, medical support and even online reputation management. You may even arrange training for your execs such as mock kidnapping situations or how to deal with other emergency situations (like riots, terrorist attacks, wars or coups).

Executive and travel protection can include interfacing with local embassies, law enforcement or emergency services depending on the threat level of the country your senior execs are visiting. This is in addition to the existing CISO responsibilities of interfacing with law enforcement for security breaches, APTs, ransomware attacks, digital fraud, etc. Exec and travel protection can also include arranging for security companies to beef up the security of their home(s) and arranging to have their home security monitored by a private security company (if this is part of their perquisites).

Lastly, one very important aspect of executive and travel protection is digital device security. This responsibility may get delegated to the CISO, but the CSO still needs to understand and include digital security as comprehensive part of their executive protection strategy. Certain countries are known to be digitally hostile by attempting to siphon information from or compromise the devices of executives at top companies. This can be attempts at industrial espionage, theft of military and defense information, gaining business advantages, disrupting business, leveraging the exec as an attack vector into the broader company, trade advantages or potential blackmail. The CSO should consider these risks based on the destination country and provide appropriate controls to executive devices such as providing burner phones and laptops for specific country use that are sterile and won’t impact the company or personal reputation of the executive if compromised.

Executive and travel protection is important to ensure your top execs are safe and secure when traveling, but also, if your business is controversial or your top execs like to make controversial statements, this function can ensure they are safe and protected no matter what situation they are in.

Corporate Investigations

One final area of responsibility for the CSO is corporate security investigations beyond the normal technology investigations handled by the CISO. Corporate security investigations can include theft, financial crimes, waste, abuse, vandalism, misconduct, bribery and supply chain control (for ITAR or other export / import laws). You may work closely with law enforcement at the state or federal level depending on the nature and scope of the investigation and the CSO function is critical to coordinating the investigation and representing the business appropriately. Corporate investigations can also involve acting as an expert witness or providing testimony in court on behalf of your company.

One important aspect to remember is, CSOs need to have clear processes and policies defined for how and when to involve law enforcement. The decision to involve law enforcement may be based on legal requirements or may be based on other decisions, but involving law enforcement gives up control of the investigation, which could result in property being confiscated as evidence. If the evidence is a critical business asset like IT equipment, the CSO needs to ensure there are redundancies in place so the business is not disrupted or left without that capability while supporting the investigation.

Wrapping Up

The CSO role is an interesting top security executive role and offers a broader scope than the CISO role. CISOs looking to expand their remit should consider establishing credibility in the areas I’ve described above, but should also remember that most professional security certifications like the CISSP cover aspects of physical security as one of the knowledge based domains. If you don’t have a military or law enforcement background, two interesting certifications that can establish physical security credibility for CISOs are ISMA and ASIS. Lastly, CSOs will typically have responsibility for the CISO function (with the CISO reporting to them), but will also have additional remit in areas of physical security, executive protection, travel protection and corporate investigations. In my experience, the CSO role is more interesting because you get involved in all aspects of security for a company allowing you to channel your inner Arnold Schwarzenegger from Twins, while still retaining the option to flex your Danny DeVito (CISO) roots.

When Evaluating A New CISO Role Don’t Forget The SEC 10-K And Other Governance Forms

When evaluating a new CISO role it is common to do research on the company, industry, product line, etc., but an area that is often overlooked are SEC filings like the SEC Form 10-K and board committee charters. SEC filings and committee charters can offer a wealth of information about how a company views and governs key issues like cybersecurity and risk. In this post I’ll cover where to find key information, red flags to watch out for and other useful information that can be discussion topics during the interview process.

Finding The Right Forms

If you are new to reviewing SEC filings and corporate governance documents there are a number of places to find documents about corporate governance and how the company strategically views cybersecurity and risk. These documents will provide insight into who you may need to influence in order to execute a successful security program and it will also give you an implicit understanding of the priority the company assigns to cybersecurity issues. The two best places to find relevant forms are on SEC.gov (Edgar) or on the company’s own investor relations website.

SEC Forms

The most common SEC forms you will want to review when preparing for a new CISO role are the SEC Forms 10-K, 10-Q and 8-K.

  • 10-K: The SEC Form 10-K is a comprehensive annual report filed by public companies. It has a wealth of information such as their financials, how they view the market, executive compensation and more. When considering a new CISO role definitely check out section 1 and 1A. Section 1 covers an overview of the business and section 1A covers macro risk factors (you may be asked to help mitigate these risks). Section 1 may also specifically call out cybersecurity governance and have details on the reporting structure, responsibilities, experience and methods for governing cybersecurity at the company. Also check out section 7, which will detail how management describes the company and can also have details on recent acquisitions or restructuring activities, which could continue to present a risk to the business.
  • 10-Q: The SEC Form 10-Q is a comprehensive quarterly report filed by the public company. This will detail their quarterly results and will also provide any updates or changes to the sections I listed above – mainly section 1, 1A and section 7. Most of the time there won’t be any updates to these sections and they will refer back to the 10K, but it is still good to review the latest 10-Q available.
  • 8-K: The SEC Form 8-K is a form companies must file to notify investors of major events. The biggest thing CISO candidates will want to review is if the company has had any material cybersecurity or operational incidents. However, if the company deems an event isn’t material it may not be in the 8-K and so it is a good idea to do a web search of the company as well.
  • Committee Charter Docs: The last set of documents to review are the committee charter documents. This will tell you how the board is structured, which can give you insights into what to expect if you take the role and give periodic updates to the board. The committee charter documents will also outline how they govern cybersecurity, risk and technology and the committee charter documents can give you implicit insight into how the company views the role of the CSO / CISO and cybersecurity.

How Should Cybersecurity Be Governed?

When reviewing the governance and committee documents of a public company, you may find cybersecurity discussed in different places. You should review these documents and also consider discussing cybersecurity governance during the interview process.

Audit committee

The audit committee is the most common committee to govern cybersecurity and risk at a public company. The challenge with placing cybersecurity and risk in the audit committee is the primary function of that committee is financial accuracy and integrity. Cybersecurity and risk are typically listed as “other functions”, which runs the risk of it not having the same priority as financial activities and the committee members may not have the right expertise to govern these functions. The typical executive experience of an audit committee member can be CEO, CFO or COO and these individuals typically aren’t experts in cybersecurity or risk. It isn’t the end of the world, but as a CISO candidate you should review the backgrounds of the audit committee board members and ask how they interact with existing C-Level executives when discussing cybersecurity, technology and risk. You may even want to ask to interview with one of the committee members before taking the job. The main goal is to make sure you are going to get the consideration, prioritization and support you need.

Tech and cyber committee

Aside from the audit committee, the other committee that governs cybersecurity and risk is the technology and cyber committee. However, the existence of this committee is currently non-standard at public companies even though it is considered best practice for corporate governance. If the company you are interviewing has a technology and cybersecurity committee consider yourself fortunate, but you should still do your own due diligence by researching the existing committee members and their backgrounds. Consider requesting an interview with one of these committee members (if it isn’t part of the interview process) to get their perspective on cybersecurity governance and issues at the company.

The challenge with placing cybersecurity and risk in the audit committee is the primary function of that committee is financial accuracy and integrity.

Other Cybersecurity Governance Aspects To Consider

There are a few other aspects to consider when reviewing corporate governance documents. These other areas can give you valuable insight into what is expected of you if and when you assume the role of CISO at the company. First, I recommend covering materiality during the interview process. Ask if the company has a process and if possible discuss their criteria for determining materiality of a security incident. Second, review and assess how often the board committee responsible for cybersecurity meets. This can give you an idea of how often you will be expected to present to the board and may even give you an idea of the topics that are discussed.

Red Flags

The whole point of reviewing these documents is to help you make an informed decision about what you are walking into if you take the role. There are few red flags you should look out for in these documents that should definitely be discussed during the interview to make sure you are clear on your role and expectations. These red flags may also help you when negotiating for things like severance, inclusion in the D&O liability policy or other concessions.

10-K & 10-Q

Remember, the 10-K and 10-Q will have a section on risks and the company may specifically call out cybersecurity risk as a macro issue they are concerned about. However, one red flag I would bring up for discussion is does the company address how they plan to manage these risks? Something as simple as “we plan to discuss and manage these risks inline with business priorities and expectations to minimize their impact” indicates they have at least given it some thought. Even better, if the company has a detailed section on risk and risk management that addresses how they plan to govern the company to address these risks. If the 10-K and 10-Q just list the risks, it may be an indication the company is paying lip service to cybersecurity or it could mean they are waiting for the right candidate to come in and develop a plan.

Experience Of Committee Board Members

Another potential red flag is the background and experience of the board members for the committee that governs cybersecurity and technology risk. Review their background, how long they have been serving on the board and when they are up for re-election. If the committee members have a strong technology or cybersecurity background you can expect to find an ally in the board room. If the committee members haven’t been technology executives you may find you have to change your message or do some education when reporting to the board. The SEC has indicated cybersecurity experience is necessary for the board to effectively govern risks, so if there isn’t clear experience, it is something to bring up in the interview for how and when the company is planning to address the experience gap.

Cybersecurity As Part Of The Audit Committee

I previously mentioned most public companies have cybersecurity listed as an additional function of the audit committee. This can be a red flag if the board doesn’t have committee members with technology experience, but can also be a red flag if the company views the CISO role and security program as more of a compliance function. The view of the board will be directly related to how much funding and support you are able to get from the rest of the company like the CEO and CFO.

Having cybersecurity and risk as part of the audit committee can also lead to a disconnect from the main security program. For example, if the audit committee treats security more as a compliance function, they may request a group that reports directly to them that audits the effectiveness of the corporate security program. This can lead to duplication of effort, cross purposes and mixed messaging at the board level. It can also undermine the authority of the CISO if the board is independently dictating security actions to the company outside of the main security program. However, having cybersecurity as part of the audit committee isn’t the end of the world and can actually lead to support from the board, but it will require additional effort and relationship management to make sure the board is supporting your program effectively. These are all topics you will want to explore during your interview.

Other SEC Filings

There are a few other areas you should review when conducting research for a new CISO position. I highly recommend reviewing recent 8-K filings and conducting internet searches to see if the company has reported any recent security incidents or breaches. If they have, you may be walking into a situation where they need immediate help to get back to a good state, but that support may wane after the urgency of the situation dies down. If you are considering taking a role that is walking into a post incident situation, be really clear on expectations and success criteria and try to build those into your employment contract.

The other area I recommend reviewing is recent or ongoing M&A activity. This will be listed in the 10-K or 10-Q filings for the company and it can give you some insight into what you may be walking into as a CSO / CISO. M&A activity is notorious for “closing the deal” and then sorting everything out later. As a CISO this means you could be inheriting a heterogenous security program or you may have to spend a significant amount of time up-leveling the acquisition to meet the standards of the rest of the company. There may even be extensive integration, standardization, etc. that needs to be completed. All of these are risks that you should be aware of when walking into a new CISO role.

Wrapping Up

When evaluating a new CISO role for a public company I recommend thoroughly researching the company as part of your evaluation process for the role. Familiarize yourself with their business model, the latest news articles, key members of the executive staff, board members and financial statements. If you have a strong CISO network I recommend reaching out to them and getting their perspective on the position. However, overlooked areas of research are the public company filings with the SEC and other investor relations documents that can give you more perspective on the company. It is particularly important to review these documents to get an idea of how the company governs cybersecurity and risk. These documents will also highlight potential red flags and discussion topics to explore during your interview. Thoroughly researching the company and the role will not only help prepare you for the interview process, but can also give you insight into how other public companies govern these issues so you can compare with your current position and make the best decision possible for your career.

Resources

SEC Search

DDN Discussion Of Cybersecurity Governance

Start Preparing For Your Next Role During Your Current Role

If there is one piece of advice I can pass on to anyone – it is don’t wait to start preparing for your next role. No matter where you are in your career, your job will constantly expose you to new things and those new things will change your perspective, give you experience and make you grow in ways you can’t anticipate. Embrace the growth, but also have the foresight to set yourself up for success no matter where your career takes you. This post offers several lessons learned about how to constantly position yourself for success and most importantly – don’t wait to prepare for your next role.

Start With The Interview

Preparing for your next role begins the second you start interviewing for your current role. The interview process is a time for both the company and the candidate to ask questions. The process will reveal areas of growth on both sides and candidates should embrace the areas they are less confident in or need to work on. This will set them on a path for mastering those skills and to be able to use their current role as a stepping stone to the next role. Candidates can also use the interview to ask how the company views the role evolving and what is the path for promotion (either title or job level)?

During the interview process or after landing the job, candidates should evaluate and learn the skills exhibited by their immediate manager or the senior member of their team. Have conversations with these individuals and make a list of skills you need to master if you were promoted to their role. The time to work on new skills is now, not when a role or promotion is offered. By that time it is too late! Whether you are aiming for a promotion, looking for a new job or if you get laid off and need to find a new position, don’t wait to prepare until you need a job because you will be behind the curve.

Get Certifications

If you are targeting a new role or promotion, look at the qualifications and certifications of individuals in those roles. LinkedIn is a great place to do research on what is needed for career progression. Evaluate the certifications, degrees and experience of people who have the job title you want. Also review job postings to see what companies are looking for. Certifications take time, money and effort so plan accordingly. If your company offers to pay for these certifications take full advantage and build it into your performance goals. Make a plan to obtain the necessary certifications and qualifications so you can position yourself and effectively compete for the role you want.

Demonstrate Expertise

In addition to certifications you also need to demonstrate expertise. When doing your research about your next job, don’t just look at the job title. Look at the skills they require, the company size and the industry. Learn the skills, learn about the company and learn about the industry they operate in. Demonstrate expertise in these areas by writing blog posts, submitting conference talks, participating in local chapter events or participating in a podcast. You can even use popular social media platforms to generate your own content. The point is to build up a body of work that demonstrates your knowledge and most importantly to create an independent profile, separate from your job that represents who you are and what you can do. Think of it as a living resume.

Network

Networking continues to be one of the most powerful ways to advance your career. Attending conferences, chapter meetups, get togethers, and other social events puts a face to a name and builds rapport. This can be invaluable when looking for your next job, but just like everything else it takes time and effort to network.

Outside of the meetups, there are a few other recommendations I have for networking. First, don’t target the people that have the job you want, target the people that hire for the job you want. For example, if you want to be the CISO at a publicly traded company, do research on who the current CISO reports to and then figure out a way to connect with that person so you are on their radar. Second, make a list of companies that you would like to work for and research people at those companies. Start connecting and networking with those people either virtually or physically. Ask for a quick intro call to introduce yourself and learn about their role. Lastly, connect with recruiters that hire for the position you are targeting. Set up an intro call to get their perspective on the market and how you can position yourself better. This will put you on their radar as a candidate when new positions come their way. This all takes time and effort, but if you set a small goal to meet one new person a month, this can quickly lead to a lot of new people in your network by the time you are ready to make a move.

Don’t target the people that have the job you want, target the people that hire for the job you want.

Challenge Yourself

My last piece of advice is to constantly challenge yourself. First, expand your experience by learning about different aspects of the business that will help you to be successful in your next role. Learning about other aspects of the business such as finance, HR, product, sales, engineering, etc. will make you more effective in your current role and give you valuable experience for your next role. It will also generate empathy on both sides, which can pay dividends towards making your next security project a success.

Second, don’t focus on team size. Instead, focus on scope and impact of your role. You may think it is better to have an extremely large team, and while this can be good experience, it doesn’t really tell people anything about what you accomplished. Instead, focus on developing and articulating the scope and impact of your role. For a CISO and the security organization, this means becoming a trusted advisor for the rest of the business and translating your successes into career highlights.

This brings us to the last piece of advice I have, which is to keep a running “brag sheet” of your accomplishments. As you progress in your current role, write down your accomplishments and the things you learn that can be useful in future roles. Continually update your resume and social media profiles to capture these achievements so you don’t have to try and remember them when a new opportunity presents itself. Keeping your resume continually updated means it will be fresh and ready to go when a recruiter reaches out or your dream role opens up.

Wrapping Up

The biggest thing you should take away from this post is to continually improve yourself by gaining experience and credentials that will be useful in your next position. Have the foresight to think about your current position and the moves it will take to get you to your dream role. Start planning for that role today because it takes time to build up the right skills, credentials and expertise for your next job.

Should There Be A Professional CISO Certification and Organization?

I’ve been thinking a lot about the CISO role and how it is rapidly maturing from a technology and compliance role to a more generalized business executive role that specializes in security and risk. The primary catalyst for this evolution is the recent release of the SEC rules requiring companies to report material incidents on their 8K forms. It also requires companies to disclose their process for governing security issues (via committees or other processes) and their process for determining materiality (via their annual 10k filing). All of this is having a similar effect on the CISO role that Sarbanes-Oxley had on the CEO and CFO role after it was passed in 2002. The end result is public companies are now being expected to demonstrate investment and expertise in governing security issues, which is elevating the CISO role to become a true executive officer and is ushering the role into the board room.

Why Did The SEC Establish The New Requirements?

Security reporting and disclosures by public companies has been lacking. There has been zero incentive or accountability for companies to report these events other than via lawsuits, stock price corrections or brand and reputation impact These disclosures often happen as a result of a news report published months or years after the actual incident. The company then issues a generic statement downplaying the event and emphasizing how serious they take security. The SEC has determined this pattern of behavior is insufficient for investors to accurately make decisions about the health of the company.

Why Do Professional Certifications Exist?

Professional certifications exist for a number of reasons. Doctors, accountants. professional engineers and lawyers all must demonstrate a minimum level of knowledge to get licensed in their chosen profession. They must also agree to conduct themselves according to a specific code of conduct. This allows the practitioners to wield specific credentials demonstrating proficiency and credibility in that field. Displaying professional credentials attests these professionals bear the responsibility to protect life, prevent fraud or protect assets.

Additionally, professional credentials afford the practitioners a number of benefits such as knowledge sharing, continual career development, job placement and act as a back stop if someone’s conduct is called into question. Certifying organizations can testify on someone’s behalf if they believe they have upheld the requirements of the profession, or they can self regulate and strip someone of their credentials for fraud or gross negligence.

A short list of fields with professional certifications are as follows:

  • Lawyers – Bar
  • Doctors – Medical license, National Board of Medical Examiners (NBME), State level licenses, American Board of Medical Specialities (ABMS)
  • Accountants – Financial Accounting Standards Board (FASB), Government Accounting Standards Board (GASB), Generally Accepted Accounting Principles (GAAP), Certified Public Accountant (CPA)
  • Engineers – Certified Professional Engineer (CPE)
  • Privacy Professionals – International Association of Privacy Professionals (IAPP)

Existing Security Certifications And Organization Are Lacking

There are already a number of certifications security professionals can choose from on their path to becoming a CISO. A short list of common certifications listed on CISO job postings or LinkedIn profiles is as follows:

  • C|CISO
  • CISSP
  • CISM
  • CISA
  • CRISC

Of these certifications, only the C|CISO certification comes close to offering a specific certification for CISOs. The rest serve either as generalized security certifications or specific offshoots of the security profession. These certifications are often bundled together by professionals to demonstrate breadth of knowledge in the security field.

While existing certifications are good, they are all lacking in what is needed for someone to serve as a CISO at a publicly traded company. They are more generalized about how to serve as a CISO at any company (small to large), but publicly traded companies have specific requirements and demands. Specifically, most of the certifications above are extremely heavy on a breadth of technical aspects and popular industry frameworks. Some of them do cover how to create and manage a security program. Some even cover basic board level conversations (although these are usually technical discussions, which are unrealistic). Where I find these certifications lacking is as follows:

  • Realistic board level conversations about risk and tradeoffs including building effective presentations
  • Board and legal conversations about materiality for security incidents
  • Common board committees and what to expect as a CISO serving on a board level committee for your company
  • Testifying or providing legal evidence post incident
  • Legal conversations about how to best notify customers of breaches including drafting communications
  • Legal conversations with security researchers and navigating vulnerability disclosures
  • How to establish and manage a bug bounty program
  • Navigating conversations with law enforcement or national security issues
  • How to effectively change or strengthen security culture
  • How to have conversations with other C-Suite executives about security
  • Navigating customer and industry requests for disclosure of security program information
  • Managing the budget / P&L for a security function including tooling, licenses, services, travel, expenses, equipment, certifications, etc.
  • Common security team structures and how to design a security org that add maximum value for the business
  • Personnel management, skillsets expected for different roles, matching training and certifications to job function, etc.
  • Negotiating with vendors and cyber insurance companies
  • Contract review and negotiation with customers (including common security and privacy clauses)
  • Creating RFPs, RFIs and RFQs
  • Talking to customers about security at your company or hot button security issues
  • Establishing requirements, conducting trade-off analyses and performing build vs buy analysis
  • How to effectively network with peers
  • Industry resources such as ISACs, Infraguard, etc.
  • Top recruiting agencies for placing CISOs at publicly traded companies
  • Career development post operational CISO (boards, consulting, etc.)
  • Properly documenting your security program
  • How to navigate achieving common compliance certifications such as SOC1, SOC2, FedRAMP, ISO27001, HIPAA, PCI-DSS. Typical costs, consulting companies that can help with these processes and what to expect during the process.
  • When to outsource your security program to an MSP
  • When to bring in an outside consulting or incident response firm
  • Successfully passing an external audit
  • Negotiating for a job including severance, D&O liability, assessing the role, etc.
  • Differences in the CISO role depending on who it reports to (General Counsel, CTO, CIO, CEO, CFO)
  • How to navigate common security related political and moral hazards at public companies

As you can see, there is a big difference between what certifications offer and the real demands of a public company CISO. Additionally, there are a number of professional security organizations such as the Information Systems Security Certification Consortium (ISC2), Information Systems Audit and Control Association (ISACA) and The Council of E-Commerce Consultants (EC-Council). Each has their own certification track, terminology and code of conduct. Each is good in their own right, but there is still a lack of a single certifying body for public company CISOs similar to a CPA. Arguably, ISACA comes closest to being an international organization that can back CISOs, but they lack a CISO specific certification covering the majority of the topics above.

While existing certifications are good, they are all lacking in what is needed to prepare someone to serve as a CISO at a publicly traded company.

Why There Should Be A Professional CISO Certification

The SEC requirements are forcing public companies to govern security to the same standard forced by Sarbanes-Oxley 20 years ago. The SEC considers security to be a material concern to investors and public companies need to treat the issue accordingly. As a result CISOs are getting elevated to the board room and CISOs need to be prepared to navigate the issues they will encounter while serving at a public company.

The advantages of a professional CISO certification and accompanying organization are as follows:

  • Standard of ethics and conduct – CISOs face a difficult job and often walk into roles that aren’t properly supported or properly funded. Yet, CISOs are asked to bear the responsibility and accountability for the security health of the organization. A standard of ethics and conduct, similar to a CPA, will backstop the authority of the CISO and serve as guidelines for how to navigate common issues at publicly traded companies.
  • Standard credential for publicly traded companies – Large companies face a difficult job sorting through the credentials and titles of job applicants. Most public companies hire executive recruiting firms to help navigate the sea of candidates to find ones that are truly qualified for the role. However, a single professional CISO certification would distinguish individuals who have met the standard to be a CISO at a publicly traded company and distinguish these credential holders from other individuals with discretionary CISO titles.
  • Shelter the role from (some) liability – One advantage of a professional certification like the ones for doctors, engineers, lawyers and public accountants is it provides a standard of conduct. These professionals can fall back on this standard of conduct if their professionalism is called into question and they can even have the certifying organization offer testimony on their behalf. As CISO take on more liability, a professional CISO organization can be useful to help support CISOs, testify on their behalf, offer recommendations for liability insurance policies or even provide low cost liability insurance through the organization. They can even help review employment contract terms to evaluate liability policies, severance, legal coverage, etc.
  • Board Level Expertise – One of the primary roles of public company CISOs is to present to the board and help the company navigate regulatory and compliance requirements such as SEC filings, breach notifications, etc. A professional CISO certification offer individuals this experience and it can give them the confidence to speak to the board on how to navigate topics of risk. By certifying individuals are qualified to operate in the board room the board will gain another voice to balance the other C-Suite executives who aren’t grounded in technology and security issues.
  • Consulting and auditing – One final advantage of a professional CISO certification is for the “big 4” consulting firms or other agencies who are contracted by investment companies to audit and certify the filings and reports of public companies. In this case, a certified CISO can represent shareholders and investors for the accuracy of security filings around governance processes, representation in board committees, recommendations for appropriate investment in security governance and generally offering advice on industry best practices for security governance at publicly traded companies.

Wrapping Up

I’m bullish on the CISO role long term because I think it is the ultimate C-Suite executive. Public company CISOs touch all aspects of the business, they need to have strong technical chops, need to understand business topics and need to have the political chops to build alliances and navigate big company politics. Existing security certifications are good, but none of them offer a comprehensive breadth of topics to prepare individuals to become a CISO at a publicly traded company. As CISOs establish their role and credibility in the board room, it will become critical for these individuals to have credentials that back their experience, offer support and can elevate the CISO role on par with other C-Level execs, similar to what Sarbanes-Oxley did for CFOs after 2002.

Are We Peak CISO?

Let’s be honest…the CISO role is weird right now. It is going through a transformative phase and the industry is at an inflection point similar to what other C-Level roles (like the CFO) have gone through in the past. What makes the role weird? The CISO community and any company that has a CISO is facing unprecedented regulatory pressure, the economy and interest rates have people on edge, layoffs in the tech sector have shaken employee confidence (to the applause of investors) and technology innovation via AI is causing additional disruption and risk across all sectors.

In additional to these external pressures the past few years have seen the proliferation of CISO title sprawl and confusion from companies about how to best employ and utilize a CISO (hint, we aren’t your scapegoats). Despite all of this turmoil, change is also a time for opportunity and there are a few things I think will help clarify and mature the CISO role.

CISO Title Sprawl

I’ve been tracking job titles and job postings on LinkedIn for the past year or so and I’ve noticed a phenomenon I’ll call title sprawl. A quick search for titles shows there are vCISOs, Advisory CISOs, Fractional CISOs, CISOs In Residence and Field CISOs. On top of this, add in Chief Security Officers, Chief Trust Officers and Heads of Security. Do we need all of these titles? Maybe, but I think this title sprawl is more indicative of three things 1) People with CISO titles are in high demand and people want to retain the title once they get it and 2) Companies are still uncertain about how to title and employ someone to lead their security function. 3) Title sprawl is a result of the political power struggle occurring between the CISO role and other C-Level roles (more on that below).

From the titles above there are really only four functions for a current or former CISO – board member (in some capacity), executive management (officer of the company), consultant and sales. There is similar title sprawl and variance with CTO titles, but not to the extent of the CISO title (yet). Time will tell if other C-Level roles start to follow suit, but for now, let’s break down the functional CISO role buckets.

Board MemberThese are current or former CISOs who sit on a board either as a technical advisor, business advisor or some combination thereof.

Executive Management – Individuals employed by a company to lead the information security program. May also manage other parts of IT such as identity, privacy, data, etc. Titles may be CISO, CSO, CISO in Residence (for Venture Capital), Chief Trust Officer and Head of Security.

Consultant – These are individuals who are providing their expertise as a current or former CISO to other companies to help them establish, transition or manage a security program. Often the companies employing these individuals claim they can’t afford a full time CISO, but they seem to be able to afford other full time C-Suite titles (hmm…)? Titles may include Virtual CISO (vCISO), Fractional CISO, CISO in Residence and Consulting CISO. (CISO in Residence again because they can “consult” to their VC holding companies about the state of their security programs).

Sales – These are people who are experts in the field of security, may hold one or more certifications and may be past CISOs. Their job is to help the company they work for drive sales. Typically the title they use is Field CISO or Advisory CISO.

Standardize The Reporting Structure

Moving on from title sprawl, companies are also confused about where the CISO title should sit. Some companies advertise it as a Director level role reporting into the VP of some function. Other’s title it as a VP level role reporting into a Senior VP or some other executive. Still other companies have the CISO reporting to the CEO, CIO, CTO or General Counsel. It is even possible this person is an individual contributor. Companies are clearly confused about whether the CISO is a technologist, regulatory compliance specialist or true C-Suite executive. While reporting structure may be a direct reflection on company culture, it is also a public example of the battle for equivalency that is playing out between the CISO and other C-Level roles. Often, CISOs are hired by other C-Levels (not the CEO) and until it becomes more common for CISOs to report to the CEO as an accepted peer to other C-Levels, this confusion and variance will persist. That being said, if you are considering a CISO title and the company isn’t willing to add you to the D&O liability policy then you may be better off taking a lower level title to eliminate personal risk.

Bolster Security Management Certifications

Security certifications from popular organizations talk a lot about regulations, risk and different security concepts (technical or not), but few, if any, offer a comprehensive certification on what it truly takes to be a CISO. Any CISO level certification should include potential career paths that lead to the CISO role, career paths post CISO role, difference in the CISO role based on company size, exposure to business topics in addition to security topics, SEC reporting, interfacing with law enforcement and lastly discussion of how to maximize success based on where the role sits – e.g. reporting to the CEO, CTO or CIO and how that may change your lens as a CISO. This begs the question if there should be a true professional level CISO certification similar to a professional engineer, accountant or lawyer, but let’s save that discussion for a future blog post.

Embrace Increased Regulation

Given the recent increase in regulation, particularly from the SEC, bolstering CISO certifications to include more business acumen may soon be table stakes instead of a nice to have. Recent regulations forcing companies to disclose material cybersecurity events in their 8k filings are starting to accelerate the maturity of the CISO role at publicly traded companies. Companies can no longer fail to invest in security or report breaches (unless they want steep penalties). In particular, this is forcing the CISO role into the board room or at least on par with other C-Level roles because they have to help these companies navigate the decision to report material events in their filings. Existing and future CISOs can embrace this increase in regulation to backstop their authority at companies who are struggling to fully embrace the CISO role as a C-Level executive. While it may not elevate the current role with a promotion, it should at least open the door to the board room and provide a seat at the table for discussion.

While CISO reporting structure may be a direct reflection on company culture, it is also a public example of the battle for equivalency that is playing out between the CISO and other C-Level roles.

The last point I’ll make about regulation is – while the SEC watered down the requirements for cybersecurity expertise on boards, I predict this expertise will still be required and in demand as companies start to navigate the new SEC reporting requirements. In particular, companies may be penalized and eventually required to demonstrate cybersecurity board expertise (via experience or certifications) if they are found to have a material security breach and can’t demonstrate appropriate security governance at the board level.

What’s The End Result?

It is clear the security industry and the CISO role are in a state of confusion as a result of the tight job market, uncertain economy, increased regulation and pace of technology innovation. The net effect of title sprawl and the struggle for equivalency is – it confuses customers, investors, partners, recruiters and job candidates. Title sprawl artificially increases competition for jobs and causes a wide variance in how the CISO role is employed. However, I think this state of confusion is a good thing because it is forcing conversations and causing people to stop and think. The CISO role is the newest member of the C-Suite and it is growing up and trading in the hoodie for a collared shirt. We are starting to claim our seat at the board level and are able to hold our own or make other C-Level roles redundant. As the CISO role evolves from a “nice to have” to a “must have” in the C-Suite, we will see this confusion fade away and the CISO role will truly reach its peak.