The document discusses how to build a career as a Chief Information Security Officer (CISO). It describes the CISO role as involving being a doer, consultant, advisor, and leader. It notes the high demand for and low supply of CISOs. However, it also warns that the average CISO tenure is only 2-4 years and over half describe the job as their worst. Many CISOs have limited authority over budgets and report several levels below the CEO. The document advises developing experience, education, certifications, and recommendations to qualify for CISO roles, and emphasizes connecting with others, serving others, and continuous learning to succeed in information security careers.

1. Building Security Leaders
ISSA Virtual CISO Series
Aaron S. Carpenter
April 7, 2015

2. Why are we here
• How to build a CISO-worthy career
2

3. The Speaker – Aaron S. Carpenter
• Techie
• ASU Fan
• Scouter
• Dad
3

4. The Speaker – Aaron S. Carpenter
Information Security Professional
4

5. The Opportunity = Sweet Spot
5
• High demand
• Low supply

6. CISO, The Role
6
• Doer
• Consultant
• Advisor
• Leader
“Be a doer and not a critic.” - Tony Blair

7. CISO, The Role
7
• Doer
• Consultant
• Advisor
• Leader
“My greatest strength as a
consultant is to be ignorant and ask
a few questions.” - Peter Drucker

8. CISO, The Role
8
• Doer
• Consultant
• Advisor
• Leader
"Advice is like snow - the softer it
falls, the longer it dwells upon,
and the deeper in sinks into the
mind." - Samuel Taylor Coleridge

9. CISO, The Role
9
• Doer
• Consultant
• Advisor
• Leader
"All Leadership is influence."
-John C. Maxwell

10. CISO, The Role
10
• Doer
• Consultant
• Advisor
• Leader

11. CISO, The Role
11
• "a C(I)SO job is about the
popularity of the person holding
the role in that they need to be a
respected advisor and be able to
talk freely about risk without being
run out of the conference room
with torches and pitch forks by C-
Level staff.“
• Source: http://isaca-denver.org/Chapter-Resources/Evolving_Role_of_CISO.pdf

12. It’s all fun and games right?
12

13. Be Careful What You Ask For
13
• Average tenure of a CISO is 2-4 years
– 4 years - Gartner
– 2.1 years – Ponemon
• 51% less than 2 years
• 56% of CISOs say this is a "bad job" or "worst job
I ever had" - Ponemon

14. Authority & Influence
14
• Budget authority:
– 43% partial ownership (Opx only)
– 6% partial ownership (capx only)
– 23% no authority
• # of steps between CEO and CISO:
– 45% 3 steps
– 37% more than 3 steps

15. Executive Designated to be Fired
15
As a group, CISOs live on a knife's edge and do
not sleep very well. They know that a breach is
inevitable. They know that if one should occur on
their watch, they will be "thrown under the bus" or
left "twisting in the wind." Yet they are staff; they
are not line executives. They do not control the
assets to be protected or the resources required to
protect them. They cannot hire or fire the
managers responsible for saying who can use the
intellectual assets or specifying how they are to be
handled.
- William Hugh Murray

16. Where do you want to go?
16

17. How are you going to get there?
17

18. Are you ready?
18

19. Qualifications
19
• Experience
• Education
• Certification
• Recommendations

20. Qualifications
20
• Experience
• Education
• Certification
• Recommendations

21. Qualifications
21
• Experience
• Education
• Certification
• Recommendations

22. Qualifications
22
• Experience
• Education
• Certification
• Recommendations

23. Qualifications
23
• Experience
• Education
• Certification
• Recommendations

24. Never give up, never surrender!
24
• Connect
• Serve
• Learn

25. Never give up, never surrender!
25
• Connect
• Serve
• Learn

26. Never give up, never surrender!
26
• Connect
• Serve
• Learn

27. Never give up, never surrender!
27
• Connect
• Serve
• Learn

28. Never give up, never surrender!
28
• Connect
• Serve
• Learn

29. The Secret
29

30. The Secret
30
Are you a Thomas? Or are you a Rodrigo?

31. The Secret
31

32. Questions?