Hi guys
It is my dream to craft my path to a CISO. I am not that young anymore - but that means I have been in the industry for some time - and worked for IS vendors for more than a decade now. Early this year I thought my experience would serve a greater purpose if I worked for an actual organization where I could finally bring to bear all my experience into securing it.
So I studied hard, earned my CISSP and sent out resumes for Information Security Officers in my area. Well, it seems that I have the education and expertise I need but not the experience required (i.e. "you have never done that job...") I feel a bit disheartened in all fairness. Any suggestions you could provide?
Thanks in advance!
@pcarner wrote:I feel a bit disheartened in all fairness. Any suggestions you could provide?
Thanks in advance!
I don't think you should feel disheartened. Becoming a CISO is a progression and not something that we can easily walk into as you need both Security experience but you also need business exposure.
In my case, I spent years in Security, got my certifications and then (as it were) trained with more senior security folks who allowed me to make decisions, mistakes, presentations, talks, etc., until one day they moved on and I was able to demonstrate that not only did I understand Security but I also understood the business.
In my case, I found it useful to be able to talk "in layman's" terms to all levels of the organization especially in trying to understand their risk appetite / tolerance or explaining the need for Data Classification, etc.
It really is a bit like getting your first job out of school......"well you don't have the experience, or you have never done that" even though you know you could be successful.
You mention that you have worked for IS vendors, any chance that one of them might shop you out as a virtual CISO? Some smaller companies do not have the budget, etc. to hire a full time CISO but do have consulting monies. Just one suggestion.
Here is some advice from Forbes:
I believe the article was written for new folks entering the workforce but there is a lot of it that can apply to older folks looking to re-train or transition from one field to another.
I especially like number 6, about becoming an excellent communicator.......I have seen many resumes go into the waste basket due to poor grammar.
You also might consider doing work for a not-for-profit or a church or such to gain experience.
If you have a local (ISC)2 or ISACA chapter, network with folks, sometimes going in the side door helps.
Sorry, this is probably not the answer that you are looking for but I hope it helps a bit.
Best
Diana
(ISC)² has recently added a course:
Been thinking the similar lines but it will take years of experience (15-20plus would probably be at the CISO level). So for me where i was (help desk, networking, desktop support, firewall/ids/router, CERT, ISSO) added CISSP and experiences with policy, nist/rmf, to now: working on Program Management Planning certification with plans to get some ISSM experience and also manage a security team/project, then program management, then CISO. Other part is education as some places might want a Bachelors, Masters, or even Doctorate (university position).