How to become a chief information security officer: A complete career guide

Chief information security officers are the crème de la crème in the infosec universe —  the head of the class, literally and figuratively. In information security, there is no loftier goal than aspiring to be a chief infosec officer. 

At corporations, it’s a c-suite level position, meaning one of the most powerful and influential officers in any given company, and generally reports directly to the CEO. As such, it’s a position that requires extensive experience, knowledge, expertise, and hands-on skills in as many aspects of information security as possible.

Ad

cybersecurityguide.org is an advertising-supported site. Clicking in this box will show you programs related to your search from schools that compensate us. This compensation does not influence our school rankings, resource guides, or other information published on this site. Got it!

Featured Cybersecurity Training

Five steps to becoming a chief information security officer

1. Self-analysis: The chief information security officer is not a career path suited to everyone. It requires exceptional drive, determination, dedication, leadership skills, an ability for forward-thinking, and a desire to remain continually educated on the latest trends in the field. 

By the very nature of c-suite positions, chief infosec officers also interface with most other departments within the same organization, and with high ranking officials in other companies, as well as government agencies. Successful CISOs must possess a high level of each of these qualities, and more, in order to excel. So be honest in the self-assessment before deciding to charge ahead on a career targeted at becoming a chief information security officer.

2. Education: Laying the groundwork for a future in a position with such wide-reaching and varied responsibilities as a chief infosec officer can take any number of forms. Obviously, an undergraduate degree in any infosec discipline or business administration is a good starter, but nearly any computer-related or business management field could do just fine. Security training for protecting people and facilities may also serve as a great kick start. Of course, for c-suite officers like CISOs, additional education is often, if not usually expected. Masters degrees and, when desired or required, doctorate degrees in more focused fields under the infosec umbrella will serve you best. 

3. Career path: As with education, career paths following an almost endless variety of permutations can lead to chief infosec officer positions. The possibilities are far too numerous to list here. For invaluable insight into how best to work toward being a CISO and how the position is evolving now and in the near future, watch this CyberSpeak interview of long-time infosec professional and current CISO Joshua Knight of Dimension Data. Also, it is helpful to review the education and experience requirements listed by EC-Council for a candidate to be eligible to take the exam for the certification of chief information security officers.

4. Professional certifications: Here too, there are dozens of certifications that can help a candidate attain the level of CISO. It’s probably best to remember to add certifications in every discipline worked in along the way, and any ancillary specialties that may apply to the positions on a resume. 

The CCISO certificate is the pinnacle achievement for chief infosec officers. Also valuable are the training opportunities and certifications offered by such organizations as OSCP (Offensive Security Certified Professional), SANS Technology Institute, ISFCE (International Society of Forensic Computer Examiners), IACIS (The International Association of Computer Investigative Specialists), GIAC (Global Information Assurance Certification), CISSP (Certified Information Systems Security Professional), (ISC)2 (International Information Systems Security Certification Consortium) IEEE (Institute of Electronic and Electrical Engineers), Cellebrite, AccessData, BlackBag, and EnCase. More basic certifications, such as CompTIA A+, which certifies IT operational and technical support skills, can also be helpful. ISACA (Information Systems Audit and Control Association) offers a certification directed at infosec managers – Certified in the Governance of Enterprise IT (CGEIT), and another directed at infosec auditors, called Certified Information Systems Auditor. 

5. Keep current: As is the case in most cybersecurity career positions, it is vital to remain current with what is happening in the industry. Keeping skills and knowledge up to date with the latest trends is even more critical for CISOs as they are charged with deciding how the entirety of any company’s varied infosec resources will be deployed now and in the future. Being a member of any and all relevant information security trade associations and training organizations is imperative for infosec leaders. 

Two such professional trade associations are The International Society of Forensic Computer Examiners^®, or ISFCE, and The Scientific Working Group on Digital Evidence (SWGDE). Another source of articles and information on specific subjects in infosec is SearchSecurity. EC-Council also provides articles, podcasts, etc. by other CISOs on its CISO Resources page. The Information Systems Audit and Control Association (ISACA) is also a great source of training and professional interaction. Infosec Institute offers a variety of resources and training for infosec professionals. This interview by IBMBusinessInstitute with Glen Gooding, Director of IBM Institute for Advanced Security, discusses the ever-changing infosec world and the CISOs continually evolving role within the industry.

What is a chief information security officer?

CISOs are alternatively known as chief security architects, corporate security officers, security managers, or information security managers. Some companies entrust this officer-level person with all aspects of security within the organization, including employees and facilities. In these cases, the position may carry the title of chief security officer.

A CISO by any name is still the head of all information security operations within a given organization. Chief infosec officers usually report directly to the CEO (chief executive officer), and sometimes are afforded a seat on the board of directors. CISOs are tasked with determining the overall direction of the infosec resources under his/her domain, how the resources will be apportioned within the various disciplines, managing all of the people in his/her department, and interacting with all other departments in the organization. CISOs are often the face of an organization’s infosec operations in interaction with outside actors. In larger corporations in particular, this may often entail dealing with government oversight, regulatory agencies, policymakers, and law enforcement agencies.

Chief information security officers skills and experience

Specific skill requirements likely to be encountered with employers include: 

• Significant experience with business management and a working knowledge of information security risk management and cybersecurity technologies and strategy
• Strong understanding of Linux, virtualization, and networking concepts
• Familiarity with industry security standards including NIST, ISO, SANS, COBIT, CERT
• Familiarity with current data privacy regulations, including GDPR and regional standards.
• Strong understanding and experience with Secure SDLC and DevSecOps or security automation
• Capable of understanding and communicating business and profit impact that infosec operations have on the organization

Because chief information security officers are at the top of the infosec heap, there aren’t a lot of certifications recognized for the position. EC-Council provides the most highly sought after program, called Certified CISO, or CCISO. 

Soft skills sought by employers include: Superior interpersonal, written and oral communication skills, ability to work under pressure, organized and flexible, strong leadership skills experience in strategic planning and execution.

What do chief information security officers do?

Information security in the 21^st century has become one of the most critical operations in any organization. The chief information security officer is responsible for providing direction, processes, and resources for every aspect of the infosec operation. And the direction and processes must be continuously reviewed, reimagined and revamped to keep pace with changes in the infosec world at large, as well as compliance, regulatory and legal requirements. The CISO must also be a motivational leader, as well as an interdepartmental and inter-organizational communicator of an organization’s infosec direction and processes. 

There are considered to be five “towers” of responsibility within the typical CISO’s purview. Chief infosec officers must have extensive experience and knowledge in each of these towers. 

1. Governance and risk management (policy, legal, and compliance) 
2. Information security controls, compliance, and audit management 
3. Security program management & operations 
4. Information security core competencies 
5. Strategic planning, finance, procurement, and vendor management

The relative weight and importance that each varies from organization to organization, but these represent the focus areas for gaining experience in order to be competitive for a CISO position.  

Chief information security officers job description

Potentially, tasks will include some or all of the following:

• Design and develop an information security program roadmap to align and scale with company growth
• Lead security assessment and testing processes, including but not limited to penetration testing, vulnerability management, and secure software development
• Develop and extend security tooling and automation efforts across the organization
• Proactively identify security issues and potential threats and continuously build processes and design systems to watch for and protect against them
• Lead compliance activities including external audits, regulatory compliance projects, and overall information security reviews
• Communicate infosec operational goals, direction, and business impact to c-suite officers and board of directors
• Interface with outside stakeholders, partners, compliance agencies, and regulatory and legal authorities
• Provide strategic risk guidance and consultation for corporate IT projects, including the evaluation and recommendation of technical standards and controls
• Establish and implement a process for incident management to effectively identify, respond, contain and communicate a suspected or confirmed incident

Outlook for chief information security officers

According to InfoSec Institute, there is a worldwide shortage of nearly three million in the ranks of cybersecurity professionals, half a million in North America alone. Demand for qualified infosec employees significantly outstrips supply in nearly every specialty under the information security umbrella. As a percentage of the demand, this shortfall becomes magnified as we climb higher up on the organizational chart. The availability of candidates capable of managing any organization’s entire infosec operation thus becomes even more glaring. It is also an even more vexing problem to overcome because it takes so long to groom candidates for these higher-level posts.

There is no shortage of interesting, prestigious, and exciting opportunities for qualified CISOs. A quick search of open positions shows such organizations as the National Security Agency (NSA), several large national and international banks, at least two state governments, and several large healthcare companies.

How much do digital forensics experts make?

In 2019, Payscale.com reports that chief information security officers are making from about $105,000 to about $225,000 per year, with an average annual salary of $160,000. Bonuses, commissions and profit-sharing can add as much as $350,000 annually. 

Looking for more information about careers in cybersecurity? LEARN MORE.