If you’re interested in a career in cybersecurity, it can help to have an end-goal in sight. For those seeking to rise to the very top of the cyber career ladder, we dug into who sits on the highest rung: a CISO. A CISO (Chief Information Security Officer) is a C-Suite role tasked with defending an organization from cybersecurity threats. Given hackers’ ever-evolving attack methods, the CISO position has experienced a steep growth in prominence over the past few years.
Despite the rise of the CISO, there’s still some mystery into what this executive-level role actually does at a micro-level. In a recent episode of Breaking into Cybersecurity, former Gilt Groupe CISO and current Security Scorecard CEO Aleksandr Yampolskiy sat down with Fullstack Cyber Bootcamp’s Managing Director Mark Davis and Lead Instructor Corey Greenwald to explain the role of a CISO, what they do in their day-to-day work, job requirements necessary to succeed, and how to plan your cyber career to reach the top.
Understanding the CISO Role
To get a sense of the CISO role and why it’s so challenging, Aleksandr gives this analogy: “If you have a house with 100 doors, you need to defend each door. An attacker trying to break in doesn’t need to figure out how to break into all 100 doors; they just need to break into one,” he says.
Aleksandr continues, “if you think about the typical attack life cycle, you have reconnaissance and scanning. Attackers want to find out what they can about your company, and then they want to gain and maintain access so they can exfiltrate the data. In terms of how the attackers do reconnaissance and gain access to your company, it doesn't really matter.” It doesn’t matter because once an attacker is in—they’re in.
Because of this, a CISO’s job is multi-layered and complex. It's arguably harder than an attacker’s because a CISO must make sure all 100 doors are protected. And depending on the size of the company, a CISO must accomplish this by leaning on their own cybersecurity technical expertise as well as leading a team of experts, influencing stakeholders, and creating value by saving or making the company money.
What Does a CISO Do on a Daily Basis?
A day in the life of a CISO can look very different based on which industry they’re protecting, and every day can be a new risk management exercise. No matter which industry you work in, though, Aleksandr is confident no day will be the same: “It constantly varies and that's what keeps the job very exciting and super fun.”
However, Aleksandr defines three buckets a CISO must be thinking about every day: people, execution and strategy, and cash.
People: People should be the CISO’s number one priority according to Aleksandr. A CISO must figure out how to support the current team, identify gaps in knowledge to upskill them, and identify who needs to be hired.
Execution and Strategy: To tackle this, he says “you must ask yourself what are the biggest risks that you need to mitigate? What are the crown jewels? What are the secrets that you're trying to protect?” He believes that to think through these questions and create a successful strategy, a strong technical understanding is essential.
Aleksandr continues by giving some examples ”If you’re a hedge fund you're thinking about how to implement data leakage prevention to make sure the documents are not stolen. If you work in a healthcare organization, you might be thinking about HIPAA compliance to make sure that you follow the requirements and policies.”
Cash: This third bucket may surprise some, and according to Aleksandr, “it’s exciting because it did not exist five years ago.” A CISO affects cash not only by saving the company from being hacked, but also earning the company money in different ways. Mark Davis agrees,“Some organizations rely on security as a differentiator. For example, in finance customers might lean towards using a company that has the most secure platform,” Mark says.
CISO Job Requirements
The job requirements for a CISO can vary greatly depending on the size of the team, but there are three main needs: business acumen, curiosity, and technical expertise.
To be a successful CISO, you must be a true business partner. At some companies, other executives are hesitant to work with a CISO because they expect the CISO to be a blocker to progress. Aleksandr likens CISOs to attorneys “A bad lawyer is going to tell you that you cannot do something. They’ll say, ‘There’s absolutely no way you can do this.’ This is the same with a bad CISO. On the other hand, a good CISO will tell you, “Here’s how we can do it; here’s how I can solve your problem in a safe way.”
This is echoed by cybersecurity researcher Larry Ponemon, speaking to SecureWorld. According to Larry "the most prominent CISOs have a good technical foundation but often have business backgrounds...and the skills needed to communicate with other C-level executives and the board."
Effective communication is essential to leading. And curiosity is important because, according to Aleksandr, “Bad guys always think about how to make systems misbehave.” While most software developers are optimists and think users are well-intentioned, a “successful CISO must think outside the box.”
Chris Sanders, founder of Applied Network Defense, suggests that curiosity may be an “X-factor which makes a [security] investigator great.” After a sampling of expert cybersecurity practitioners, he found that most “believe that a curious mind is important in terms of accuracy, thoroughness, and speed at which an investigation is conducted. While curiosity isn’t the only thing that makes an investigator successful in their craft, it certainly warrants attention as a key player.”
A CISO must know more than business politics and how to influence. “No matter how big the organization, a good CISO needs to have a great technical understanding in order to be effective—even if he or she is not doing all of those tasks,” Aleksandr says.
According to csoonline, the CISO role comes with “a laundry list of expected technical skills: beyond the basics of programming and system administration that any high-level tech exec would be expected to have, you should also understand some security-centric tech, like DNS, routing, authentication, VPN, proxy services and DDOS mitigation technologies; coding practices, ethical hacking and threat modeling; and firewall and intrusion detection/prevention protocols. And because CISOs are expected to help with regulatory compliance, you should know about PCI, HIPAA, NIST, GLBA and SOX compliance assessments as well.”
How to Become a CISO
If you’ve set your sights on reaching the CISO role, Aleksandr says you have to start by taking an honest inventory of your strengths and weaknesses. For example, if you have high emotional intelligence but lack technical skills, find ways to increase your knowledge. Options include cyber bootcamps or degree programs. On the other hand, you might be “the best tech ninja like many SOC analysts, but you don’t know how to deal with conflict or disagreement.” In that case, Aleksandr suggests learning more about relationship management and leadership.
Whatever your strengths though, Aleksandr encourages individuals serious about shaping their career towards a CISO role to build your network and “apprentice yourself to somebody great” so that you’re always learning. He’s confident about the results—he says that by working on your weaknesses, surrounding yourself with great people, and apprenticing yourself “I’m confident that your dreams will come true.”