Who wants to be a CISO?

Talent alienation is the biggest issue behind the cybersecurity management skills gap, but it shouldn’t be the case

Who wants to be a CISO these days? And at which stage in your career should you consider the move? What balance of managerial and technical experience do you need to have? And where do you go from there? (what’s the step after next? … always the most important question in terms of career development).

Those would be valid questions for many executive positions but when it comes to the role of the CISO, they seem to acquire a different meaning.

Let’s evacuate the first two aspects from the start: Cybersecurity has developed a high profile in many organisations over the past few years. Many firms are engaged in transformation programmes in that space, which will require strong leadership, transversal vision and managerial and political acumen from the CISO. The role is no longer a role for a junior technologist, an ex-auditor or life-long consultant. Of course, control-mindedness and a solid understanding of the technical aspects relevant to their industry sector are important, but they must not be seen as the only key aspects.

It’s the “step after next” question which seems to be the dominant factor preventing people from moving into CISO jobs.

Also on the CIO WaterCooler
How to Streamline Cloud Subscriptions & IT Costs During Uncertain Economic Times

Security still carries an image problem, in spite of the high-profile of some recent cyber incidents and the undeniable interest developed by top executives around the topic over the past few years (and the additional layer of emphasis brought in by the GDPR).

It is still seen by many as a highly specialised field and a dead-end, plagued by under-investment and management lip service, where you cannot really achieve anything.

This is becoming wrong on all fronts, in particular in large firms involved in fundamental transformation programmes around cyber security:

Security can no longer be seen as a specialised technical silo. It is a transversal discipline rooted in corporate culture and governance which will take the CISO in contact with IT, business, HR, legal, risk and compliance functions. The digital transformation and the “security and privacy by design” principles coming with GDPR accentuate that trend even further. Only by looking at security in that way can large scale transformation programmes be truly successful.

The under-investment and lip-service era is behind us in many firms: Cyber security is on the Board agenda and “are we spending enough on cyber?” is becoming one of the most common question at that level. And the GDPR brings business-threatening fines of unprecedented proportions which can turn cynical lip-service into an expensive habit. Priorities and resources are shifting towards cyber security, but with those come management expectations and execution responsibilities for the CISO.

Also on the CIO WaterCooler
Operating Model Lessons from the Fast Paced World of F1 - The First Lap

As a consequence of the two points above, large scale cyber security transformation programmes can be very complex and very exposed. They are nothing but a dead-end. They are exceptional training grounds and prime areas where ambitious leaders can develop and prove themselves to the Board.

Of course, ambition is required; and realism around the timeframes involved with delivering lasting change: It could take 3 to 5 years – or longer – to turnaround a security practice and that would make it a significant career step for the individual involved, but the role of the transformational CISO has all attributes to attract the best talents, and it is now down to the Board to raise its profile so that it does.

This goes beyond compensation and reporting lines: It is time for role models to emerge to illustrate that the successful transformational CISO is not condemned to hopping from one CISO job to another but can move into CIO, CRO or CDO roles, or indeed any leadership position where strong turnaround skills are required.

Jean-Christophe Gaillard

• A senior executive and a team builder motivated by analysing and resolving Security Strategy, Organisation and Governance challenges, and delivering real long-term solutions • A track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation • Over 25 years of experience developed in several global financial institutions in the UK and continental Europe, gaining exposure to all layers of management up to board level • French national permanently established in the UK since 1993; fluent in English, Spanish & French Specialties: Security Strategy, Organisation and Governance ; Security Roadmaps, Target Operating Models and Governance Frameworks ; Business Protection ; Corporate Security ; Information Security ; Cyber Security ; Operational Risk Management

Have Your Say:

CIO WaterCooler