On the road to CSO

Joyce Brocaglia, a founder and CEO of Alta Associates, an information security recruiting company, answers readers’ questions about CSO careers.

Q: What is more important to CSO employers, years of experience or skill in strategic and tactical security management?

A: When employers are searching for a CSO, they consider both years of experience as well as strategic and tactical security management skills. The differentiator in determining who is a stronger candidate for the position ultimately depends upon the strength of the candidates’ strategic and tactical security management experience.

Employers searching for an officer-level executive want to hire someone with a proven track record of establishing, implementing and managing an enterprisewide program. The years of experience are not as relevant as the accomplishments achieved during his tenure.

Q: How do I jump from a security manager position to a CSO or CISO role?

A: There are many ways to accomplish this task. However, the most fundamental lesson is that you must be perceived as part of the solution, not part of the problem.

If you are interested in this career progression in your current company, your success will be directly related to the credibility you have established. If you are looking outside of your organization, you will need to represent how you were able to establish credibility in your current company and how you would transfer that experience to the new organization.

Three essential ingredients to build credibility are establishing strong relationships, possessing a true understanding of your business and displaying effective communication skills.

Building relationships with key stakeholders can be as simple as identifying areas where you can help senior managers achieve their goals. By working together with them, you will win allies. Word will spread fast, and you will quickly establish a reputation as someone who gets it.

Understanding your business requires due diligence on your part. You need to be genuinely curious about the workings of your organization. Have industry-related discussions with people you respect and consider subject-matter experts in areas other than technology. You must gain an understanding of how your role and responsibilities fit into the bigger picture of what your organization is trying to accomplish and determine how you can be a positive influence.

Effective communication skills are absolute requirements for an executive-level position. Evaluate your verbal and written skills and be willing to go to charm school if necessary to strengthen them. It is very important to recognize that transitioning from an information security manager to a CISO or CSO is not just a change in jobs — it’s a change in careers. You must step out of your technical comfort zone and refine your management and communication skills to become a part of the executive team.

Q: To what extent can I expect to be able to change the culture of an organization? If my company seems security unconscious, can I expect to be able to make fundamental changes?

A: Changing corporate culture is a difficult and sometimes impossible task. My suggestion is to begin with low-hanging fruit and accomplish small wins. Pick one person within this new organization who seems receptive or has a problem that you feel you can help solve in a short period of time. If you are successful in assisting him in achieving his goals, he will become your advocate and spread the word to others about the rewarding experience. Have enough of these small wins and a consistent and positive message will spread about your capabilities.

Establishing a security awareness program is also a good way to begin to change culture. Some of the most successful programs don’t take themselves too seriously; they utilize creativity, cartoons, rewards programs and other fun ideas to get a very serious point across.

The bottom line is, it takes a lot of diligence to change corporate culture, and ultimately it may be an impossible task if you don’t have the support of senior-level management. If you can get executive management to set the tone from the top, your goal is an achievable one. If the executive management is security unconscious and unwilling to support your efforts, the best thing for you to change may be the company you work for.