Five Different Routes to Becoming a CISO

Published:

The Evolving Role of the CISO: A Shift Towards Business Acumen

In recent years, the role of the Chief Information Security Officer (CISO) has undergone a significant transformation. Traditionally viewed as a technical expert responsible for safeguarding an organization’s digital assets, the CISO is now being called upon to emphasize business strategy and risk management. This shift in expectations from top management is set to reshape the pathway to this critical cybersecurity role, leading to a new breed of leaders who blend technical knowledge with business acumen.

The Changing Landscape of CISO Recruitment

As organizations increasingly recognize the importance of aligning cybersecurity with overall business objectives, the profile of the ideal CISO is evolving. A recent poll among information security professionals revealed that 47% believe the CISO role has already become less technical. This sentiment is echoed by research from IANS, which found that while 76% of CISOs have a technical background, nearly 25% have followed a primarily non-technical route, often through governance, risk, and compliance (GRC) or audit and risk functions.

This trend indicates that companies are beginning to prioritize candidates with a business-oriented career path over those with purely technical expertise. As boards demand more from their CISOs in terms of business leadership, we can expect to see a growing number of candidates emerging from diverse backgrounds.

Emerging Backgrounds for Future CISOs

As the CISO role continues to evolve, several alternative experience tracks are likely to gain prominence. Here are some key backgrounds that may become more common among future CISOs:

1. Legal Expertise

With the regulatory landscape surrounding cybersecurity becoming increasingly complex, CISOs are now required to work closely with legal departments. A candidate with a legal background, combined with relevant cybersecurity experience, could be well-positioned to navigate the intricacies of compliance and breach incidents.

2. Product Management

The push for "Secure by Design" principles has led to a greater emphasis on integrating security into product development. Companies focused on engineering and product management may seek CISOs with experience in these areas to ensure that security considerations are embedded in their product roadmaps.

3. Vendor Management

As third-party risk management and software supply chain security gain importance, organizations may look to candidates with a background in vendor management. These professionals are adept at managing complex relationships and can help mitigate risks associated with external partners.

4. Accounting

The recent introduction of cybersecurity as a specialization for Certified Public Accountants (CPAs) signals a growing recognition of the intersection between finance and cybersecurity. As more cyber accountants enter the workforce, they could emerge as strong candidates for CISO roles, bringing a disciplined, detail-oriented approach to security management.

5. Business Operations

Professionals with a background in business operations possess essential skills such as cross-functional collaboration, financial acumen, and people management. These capabilities are crucial for modern CISOs, who must effectively communicate with both technical teams and business leaders. By providing mid-career business operations professionals with security training, organizations can cultivate a new generation of CISO candidates.

The Importance of Team Building and Diversity

The evolving expectations of CISOs highlight the need for leaders who can build effective teams. While technical expertise remains important, the ability to manage technical personnel and communicate effectively with the broader business is paramount. This shift in focus may also help address the diversity problem within the CISO community. Currently, 90% of CISOs are men, and 65% are white. By broadening the recruitment pool to include candidates from various business disciplines, organizations can attract a more diverse range of leaders, fostering a cultural and philosophical shift within the role.

Conclusion

The future of the CISO role is poised for transformation as organizations seek leaders who can bridge the gap between cybersecurity and business strategy. By embracing candidates with diverse backgrounds—ranging from legal and product management to vendor management and accounting—companies can cultivate a new generation of CISOs equipped to navigate the complexities of the modern cybersecurity landscape. This evolution not only enhances the effectiveness of cybersecurity leadership but also holds the potential to enrich the diversity and inclusivity of the CISO community, ultimately leading to more innovative and effective security strategies.

As we move forward, it is clear that the CISO role will require a delicate balance of technical knowledge and business acumen, paving the way for a new era of cybersecurity leadership.

Related articles

Recent articles