What do you think about the thoughts within this article on becoming a CISO?
I think the article asks 3 main questions:
1) You arrive at a fork (choice between two options) in your career, Do you become a better techie/SME (or maintain your current level) or venture into management?
2) Would you be happy while leading but letting your technical skills diminish?
3) Are you OK with still having to continue to learn technical knowledge, but not deep into technical skills, while learning a whole new set of skills related to management/business?
They are valid points and I think reflects the choices made in my own career. I have seen companies hire a CISO and it go horribly wrong for them. They hired someone with poor management skills but good technical skills (i.e. the Poor People Person - bad interpersonal skills). I have seen others hire the best available that applied to the job. Doesn't mean they got the best hire, but were stuck with picking the best of who had applied to the job. A few companies got it right. They either hired an experienced techie with good people skills and trained them up in the way they wanted them to be or chose someone who had a mix of both technical and managerial positions in their resume so this CISO position was not their first rodeo.
I feel that if someone wants to move to the CISO role they need to have good to great people skills combined with some technical background. Someone who just has a theoretical background but no real hands-on experience, I feel, is someone who may be ill prepared for the job. I have seen people who espoused ideas that sounded great on paper but failed spectacularly when implemented. Example: Great disaster recovery process, but the DR location was located just 10 miles from HQ. If a disaster took out the building most people would probably not be able to get the disaster recovery site either.
So start with people skills. Learn how to make things happen. Learn customer service. Learn how to play the political game or at least know the rules of how it is played. Learn management skills. Take management roles where you are, even if it means taking on additional duties without added pay.
I feel the author has valid points but I don't think it has to be an all or nothing proposition.
In a show of hands at the 2017 Secure Summit in London on being asked who aspired to be a CISO, only one or two out of an audience of a couple of hundred put their hands up. They were not the seasoned grey haired folks.
Nevertheless it's not such a stark choice as presented in the article; technical vs. leadership. The key question is to what extent would you be comfortable being in a role in which you're a C level exec in title only, without a seat on the Board of Directors, working in a legislative and regulatory environment in which the CEO and CFO are legally accountable, call the shots and may leave you in a morally and ethically questionable position from month to month. Would you be comfortable with putting a gloss on the truth or even being the fall guy if a breach occurs on your watch; a breach you've been given insufficient resources to prevent, not that all are foreseeable or preventable anyway. CISOs, even competent ones, get thrown under the bus from time to time. So it's really a question of how resilient you are.