Who wants to be a CISO?
Talent alienation is the biggest issue behind the cybersecurity management skills gap, but it shouldn’t be the case
Who wants to be a CISO these days? And at which stage in your career should you consider the move? What balance of managerial and technical experience do you need to have? And where do you go from there? (what’s the step after next? … always the most important question in terms of career development).
Those would be valid questions for many executive positions but when it comes to the role of the CISO, they seem to acquire a different meaning.
Let’s evacuate the first two aspects from the start: Cybersecurity has developed a high profile in many organisations over the past few years. Many firms are engaged in transformation programmes in that space, which will require strong leadership, transversal vision and managerial and political acumen from the CISO. The role is no longer a role for a junior technologist, an ex-auditor or life-long consultant. Of course, control-mindedness and a solid understanding of the technical aspects relevant to their industry sector are important, but they must not be seen as the only key aspects.
It’s the “step after next” question which seems to be the dominant factor preventing people from moving into CISO jobs.
Security still carries an image problem, in spite of the high-profile of some recent cyber incidents and the undeniable interest developed by top executives around the topic over the past few years (and the additional layer of emphasis brought in by the GDPR).
It is still seen by many as a highly specialised field and a dead-end, plagued by under-investment and management lip service, where you cannot really achieve anything.
This is becoming wrong on all fronts, in particular in large firms involved in fundamental transformation programmes around cyber security:
Security can no longer be seen as a specialised technical silo. It is a transversal discipline rooted in corporate culture and governance which will take the CISO in contact with IT, business, HR, legal, risk and compliance functions. The digital transformation and the “security and privacy by design” principles coming with GDPR accentuate that trend even further. Only by looking at security in that way can large scale transformation programmes be truly successful.
The under-investment and lip-service era is behind us in many firms: Cyber security is on the Board agenda and “are we spending enough on cyber?” is becoming one of the most common question at that level. And the GDPR brings business-threatening fines of unprecedented proportions which can turn cynical lip-service into an expensive habit. Priorities and resources are shifting towards cyber security, but with those come management expectations and execution responsibilities for the CISO.
As a consequence of the two points above, large scale cyber security transformation programmes can be very complex and very exposed. They are nothing but a dead-end. They are exceptional training grounds and prime areas where ambitious leaders can develop and prove themselves to the Board.
Of course, ambition is required; and realism around the timeframes involved with delivering lasting change: It could take 3 to 5 years – or longer – to turnaround a security practice and that would make it a significant career step for the individual involved, but the role of the transformational CISO has all attributes to attract the best talents, and it is now down to the Board to raise its profile so that it does.
This goes beyond compensation and reporting lines: It is time for role models to emerge to illustrate that the successful transformational CISO is not condemned to hopping from one CISO job to another but can move into CIO, CRO or CDO roles, or indeed any leadership position where strong turnaround skills are required.