The document discusses how to build a career as a Chief Information Security Officer (CISO). It describes the CISO role as involving being a doer, consultant, advisor, and leader. It notes the high demand for and low supply of CISOs. However, it also warns that the average CISO tenure is only 2-4 years and over half describe the job as their worst. Many CISOs have limited authority over budgets and report several levels below the CEO. The document advises developing experience, education, certifications, and recommendations to qualify for CISO roles, and emphasizes connecting with others, serving others, and continuous learning to succeed in information security careers.
6. CISO, The Role
6
• Doer
• Consultant
• Advisor
• Leader
“Be a doer and not a critic.” - Tony Blair
7. CISO, The Role
7
• Doer
• Consultant
• Advisor
• Leader
“My greatest strength as a
consultant is to be ignorant and ask
a few questions.” - Peter Drucker
8. CISO, The Role
8
• Doer
• Consultant
• Advisor
• Leader
"Advice is like snow - the softer it
falls, the longer it dwells upon,
and the deeper in sinks into the
mind." - Samuel Taylor Coleridge
9. CISO, The Role
9
• Doer
• Consultant
• Advisor
• Leader
"All Leadership is influence."
-John C. Maxwell
11. CISO, The Role
11
• "a C(I)SO job is about the
popularity of the person holding
the role in that they need to be a
respected advisor and be able to
talk freely about risk without being
run out of the conference room
with torches and pitch forks by C-
Level staff.“
• Source: http://isaca-denver.org/Chapter-Resources/Evolving_Role_of_CISO.pdf
13. Be Careful What You Ask For
13
• Average tenure of a CISO is 2-4 years
– 4 years - Gartner
– 2.1 years – Ponemon
• 51% less than 2 years
• 56% of CISOs say this is a "bad job" or "worst job
I ever had" - Ponemon
14. Authority & Influence
14
• Budget authority:
– 43% partial ownership (Opx only)
– 6% partial ownership (capx only)
– 23% no authority
• # of steps between CEO and CISO:
– 45% 3 steps
– 37% more than 3 steps
15. Executive Designated to be Fired
15
As a group, CISOs live on a knife's edge and do
not sleep very well. They know that a breach is
inevitable. They know that if one should occur on
their watch, they will be "thrown under the bus" or
left "twisting in the wind." Yet they are staff; they
are not line executives. They do not control the
assets to be protected or the resources required to
protect them. They cannot hire or fire the
managers responsible for saying who can use the
intellectual assets or specifying how they are to be
handled.
- William Hugh Murray