The CISO is the most senior position within the Information Security department, and they are the direct route to the board of directors within a business. Traditionally a CISO would progress through the Governance, Risk, and Compliance route or through other areas of leadership within a business, however modern CISO’s are more technically capable and can often have a foundation in engineering or operations.

A key responsibility of the CISO is to establish a robust security programme for the business, which will feed into the board of directors to gather support, provide frequent feedback cycles, and to ensure it aligns with the overall business strategy.

The CISO will be a pragmatic leader and ensure the Information Security department has the necessary tooling, skills, and training required to achieve the required level of security posture across the business. In practice this may involve relaying evidence based requests from the security team to the board of directors to negotiate budget, request support for an initiative, or provide any necessary resources.

A CISO is not expected to know absolutely everything about Information Security, the field is too vast for that to be realistic. However, they should have solid foundational knowledge with extensive associated experience within security teams and across various businesses. They should be confident speaking to and selling ideas to the board of directors, evangelising the various facets of the security programme at all levels of business, and leading a cross-functional team of security professionals.

Often CISO’s will acquire and continue to renew a number of security related certifications, although not a requirement certifications can demonstrate a level of knowledge of security and provide credibility during the hiring process. It is also a sign of commitment to continuous learning which is a requirement for most roles within the field of Information Security, due to the ever evolving landscape of threats to businesses.

Common certifications that you might find CISO’s acquire are:

• Certified Information Systems Security Professional (CISSP)
• Information Systems Security Management Professional (ISSMP)
• Certified Cloud Security Professional (CCSP)
• Certified Information Security Manager (CISM)
• Certified in Risk and Information Systems Control (CRISC)

It’s also common for a CISO to have a Master of Business Administration (MBA), as a large part of the role is business related.

The journey to becoming a CISO is often a long one, and it’s rare to find a CISO with under 15 years experience. The best approach for reaching the Mount Everest of Information Security roles is to focus on being the best security professional you can be, evolve into a leader and network with business professionals.