The Next Generation of CISO

One question keeps coming up in my discussions with other peers in our field, and that is where do aspiring Information Security leaders learn the necessary skills to run a mature Information Security program? There is really no professional certification or academic program that really prepares you for the in’s and out’s of building and running an Information Security program. There are certainly classes that claim to be for security leaders, but these are really geared more on security middle management, not the top positions. We are also starting to see some university programs starting to market their course towards the up and coming security executive, but from what I have seen most don’t have experienced leaders on staff. Rather they are just taking some computer science staff and throwing them together with faculty from the business school, and calling it a program. Certainly the CISO community is not enormous, but we need to find a way to educate the next generation of CISO so that we don’t keep making the same mistakes over and over. It is still way to common for another leader in the organization to get thrown into the top information security position with often little to no security expertise.

I was talking to colleague just the other day about the CISO of a major corporation, and he told me that this CISO had gone right from being an IT manager to the CISO position. How did he learn what was necessary to run a fairly complex security program and bring it up to current expectations? Well he learned on the job as he went. Imagine how much more effective and how much further along the maturity scale this program could have been if its leader wasn’t stumbling over all the same pitfalls that every modern CISO has already experienced. It seems like the best you can hope for these days is to find a great mentor to help you develop the needed skills for the CISO position and try to learn from their style and mistakes. I know that in my own career I have been fortunate to find some amazing mentors who were willing to give up their time and set aside their own agendas to help with my career development. In fact a big motivation for my last job move was to work under my current mentor, and I have seen my career opportunities grow and expand like I never imagined in that environment.

You can pick up a book and get maybe 20% of what you need to know to be a great information security leader, and if you are lucky enough to find the right mentor, you might be able to fill in the other 80%, but you really only get one perspective that way. What we need is a real structured executive leadership program for aspiring CISOs.

Not that it will totally fill this need, but I am happy to announce a new session at the RSA Conference 2011 that will hopefully inspire further development in this area. Along with some real all stars in the field, I will be participating in a professional development session on the first day of the conference titled: Information Security Leadership Development: Building and Managing a Successful Information Security Program. The idea is that the best way to create an effective crash course in security leadership would be to recruit existing leaders in the field to teach students the various topic areas needed to be a run a security program. The format will be several short modules throughout the morning, each presented by a different security leader. This will allow students to experience many different perspectives about what it means to be a security leader. You can see the full agenda on the RSA Conference website:

We have organized this half-day session into modules focusing on a few of the essential security leadership topics:

  • Building Blocks of a Security Program
  • Making Regulations & Audit Work for You
  • Managing the Breach

If this session is successful, and really think it will be a hit, then I hope that we can cover some additional topics in future years or other venues:

  • how to base your security program on risk management principles
  • navigating the relationship between internal audit or external regulators
  • measuring the success of your program and communicating metrics to executives
  • presenting security to a Board of Directors or other senior management
  • how to influence and change the culture of your company to support security initiatives
  • how to align security initiatives with the objectives of the business
  • building a long-term strategy and short-term objectives
  • maturing your program to account for privacy considerations
  • ethical decisions and scenarios for security leaders

Getting to learn first-hand from real leaders and pioneers in the field is just such a great opportunity. I hope it will inspire even more learning opportunities like it.

3 Responses to “The Next Generation of CISO”

  1. [...] The Next Generation of CISO ( [...]

  2. [...] in November, I mentioned my concern about the lack of educational opportunities for future security leaders, and I am thrilled to report that we have started to change that this year at the RSA Conference.  [...]

Leave a Reply

You must be logged in to post a comment.