cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
pcarner
Newcomer II

Becoming a CISO: Education, Expertise and Experience - what if the Experience is missing?

Hi guys

It is my dream to craft my path to a CISO.  I am not that young anymore - but that means I have been in the industry for some time - and worked for IS vendors for more than a decade now.  Early this year I thought my experience would serve a greater purpose if I worked for an actual organization where I could finally bring to bear all my experience into securing it. 

 

So I studied hard, earned my CISSP and sent out resumes for Information Security Officers in my area. Well, it seems that I have the education and expertise I need but not the experience required (i.e. "you have never done that job...") I feel a bit disheartened in all fairness. Any suggestions you could provide?


Thanks in advance!

6 Replies
dcontesti
Community Champion


@pcarner wrote:

I feel a bit disheartened in all fairness. Any suggestions you could provide?


Thanks in advance!


I don't think you should feel disheartened.  Becoming a CISO is a progression and not something that we can easily walk into as you need both Security experience but you also need business exposure.

 

In my case, I spent years in Security, got my certifications and then (as it were) trained with more senior security folks who allowed me to make decisions, mistakes, presentations, talks, etc., until one day they moved on and I was able to demonstrate that not only did I understand Security but I also understood the business.

 

In my case, I found it useful to be able to talk "in layman's" terms to all levels of the organization especially in trying to understand their risk appetite / tolerance or explaining the need for Data Classification, etc.

 

It really is a bit like getting your first job out of school......"well you don't have the experience, or you have never done that" even though you know you could be successful.

 

You mention that you have worked for IS vendors, any chance that one of them might shop you out as a virtual CISO?  Some smaller companies do not have the budget, etc. to hire a full time CISO but do have consulting monies.  Just one suggestion.

 

Here is some advice from Forbes:

 

https://www.forbes.com/sites/quora/2018/03/20/how-to-get-a-job-when-you-dont-have-the-experience-emp...

 

I believe the article was written for new folks entering the workforce but there is a lot of it that can apply to older folks looking to re-train or transition from one field to another.

 

I especially like number 6, about becoming an excellent communicator.......I have seen many resumes go into the waste basket due to poor grammar.

 

You also might consider doing work for a not-for-profit or a church or such to gain experience.

 

If you have a local (ISC)2 or ISACA chapter, network with folks, sometimes going in the side door helps.

 

Sorry, this is probably not the answer that you are looking for but I hope it helps a bit.

 

Best

 

Diana

 

 

Chuxing
Community Champion

@pcarner 

 

(ISC)²  has recently added a course:

 
You might want to check it out
 
 
 
 
 
 
 
 
 

 

 


____________________________________
Chuxing Chen, Ph.D., CISSP, PMP
RRoach
Contributor I

Been thinking the similar lines but it will take years of experience (15-20plus would probably be at the CISO level). So for me where i was (help desk, networking, desktop support, firewall/ids/router, CERT, ISSO) added CISSP and experiences with policy, nist/rmf, to now: working on Program Management Planning certification with plans to get some ISSM experience and also manage a security team/project, then program management, then CISO. Other part is education as some places might want a Bachelors, Masters, or even Doctorate (university position).

pcarner
Newcomer II

Thanks very much for the feedback. It seems that I could have already several pieces of the puzzle (Master degree, Project Management certification and other industry certs). What I am missing, I'm afraid, is just the opportunity to get some hands-on experience (working for a vendor doesn't make it easier) so I am considering either volunteering or finding an information security position outside the vendor space.
pcarner
Newcomer II

Thanks. Doing it!
pcarner
Newcomer II

(thumbs up)