A lot of chief information security officers tell Forrester Research they didn’t plan on becoming CISOs after years of working in infosec jobs. It just happened, or they were “voluntold” for the post because no one else wanted it.
That, says the Forrester principal analyst Jeff Pollard, is changing.
“In the future [being a CISO] is going to be a choice,” he said this week during Forrester’s Security and Risk online conference. “Intent will be everything you do from here on. Be more intentional about your career, the company you decide to work for, the sacrifices you make, the things you and your teams pay attention to.”
Infosec staff have to start actively cultivating the skills that needed to become security leaders, he said. “We’re not going to be able to find our way through [a career], we’re going to have to do a lot more planning. We’re also going to have to start making a meaningful contribution at the C-level. Not just time in front of the board but meaningful time in front of the board. Helping them really understand what cybersecurity is really about, helping them understand risk and walking them through how to get from here to there.”
For all their work, Forrester believes only 13 per cent of CISOs in Fortune 500 companies are treated as if they are C-level executives.
To get across his idea of what aspiring infosec leaders need to do, Pollard drew a loose analogy with the animated film company Pixar, known for Toy Story, Monsters Inc., Wall-E and others. Pixar knows how to tell stories. So anyone who wants to be a CISO has to write their own career story, too, he argued, in the sense of having goals.
However, Pollard cautioned against aiming to be perfect. “Zero per cent of you are great at everything … We have product, privacy, guidance, incident response concerns … We’re doing too much, we’re too tactical.” Don’t let perfection burn you out, he said at one point.
It’s not enough to merely decide to be a CISO, he suggested. You have to decide what kind of CISO. Forrester figures there are six types:
- Transformational. Enjoys transforming a security program to make security more relevant to the rest of the business. Generally, these people have a goal of staying with the organization for up to six years;
- Post-breach. Comes in immediately after a data breach and overhauls the security program. Knows how to deal with pressure. Often moves on after three years when things have cooled down;
- Tactical. Helps solve technical issues in the security program;
- Compliance guru. Specializes in working in regulated industries;
- Steady-state. Likes companies that don’t need much because they’re already in good shape;
- Customer-facing evangelist. Wants to be the firm’s public face of its cybersecurity and privacy policies.
You can shift over a career from one role to another, Pollard said. But you should fit the organization.
“Think about the things that energize you, motivate you, the things you dread. Pick your dream gig. That’s your type. Find roles where that’s what they need.
“Going from one type [of CISO] to another is what should happen. That’s where the skills you cultivate matter. Identify your gaps, remediate them and then become the next type. There is no best type. There is a best type for you right now. There even is a best type of company for you right now, but there is no best type of CISO role overall. It’s a journey, it’s a continuum. Enjoy it. Maximize your success. Pick the right company based on your CSIO type. Make choices based on the skills and the type you are and the type you want to be. Every role has [bad] aspects, but don’t get sidelined by that. Don’t think, ‘I can’t be this if I’m not that.’ It’s simply not true,” he said.
Finally, think about what you might want to do after being a CISO, Pollard said. Options are becoming a CIO, founder of a startup, member of a board or an author/speaker.
“Act with intent, plan your journey, live your story, end your story your way.”