How to become a CISO
If you have your sights set on the top job in security, there are a number of things you are going to need to do to secure it. CISO salaries are typically in the £120,000 - £130,000 range with some going up to over £300,000 + benefits. In the US, salaries are often closer to $600,000 with some hitting $1 million basics. Working your way up to this role is worth it financially, although it comes with a lot of pressure. You also need to be a well-rounded security and risk professional. CISO’s have responsibility for a large number of areas such as:
What is obvious from this list, is that it would be very hard to be an expert in all these areas. And the good news, is it gives you a couple of different routes into the CISO job.
Route one – security expert
Traditionally, the CISO was the most experienced security professional in that organisation. Working your way up through security is one possible way to get the CISO job. This route will typically see you gain security qualifications such as a CISSP and work across broad ranges of security engineering an operations. If this is the route you want to take, make sure that you gain skills or jobs in areas that are not your specialism so that you have the breadth to become a CISO. Ideally, spend some time in cyber risk or information security policy. You may have to make a couple of sideways moves to get the required experience in the organisation.
Route two – consulting
A great way to get a breadth of experience relatively quickly, is to work for a consulting firm. While making use of your expertise, you will get exposure to a range of customers, technologies and hopefully, different areas of security. As you work your way up in one of these organisations, you will gain the soft skills required to become a CISO. Once you have reached an equivalent level, you can look to make a move into industry as a CISO.
Route three – risk management
A number of the skills needed by CISO’s are risk management focussed. You also need some core business skills such as relationship management and an understanding of how businesses approach risk. We see a number of candidates, already senior in their own governance discipline, moving successfully into cyber security. These candidates make excellent CISO’s as they understand risk, how to talk to the board, how to manage PR and training and they quickly learn about the security issues. The CISO does not need to be the technical expert, so a lack of in-depth technical knowledge does not preclude them from the job. You do need some technology experience however; enough to know how to direct the team to do their jobs and to report upwards.