What do you think about the thoughts within this article on becoming a CISO?
I think the article asks 3 main questions:
1) You arrive at a fork (choice between two options) in your career, Do you become a better techie/SME (or maintain your current level) or venture into management?
2) Would you be happy while leading but letting your technical skills diminish?
3) Are you OK with still having to continue to learn technical knowledge, but not deep into technical skills, while learning a whole new set of skills related to management/business?
They are valid points and I think reflects the choices made in my own career. I have seen companies hire a CISO and it go horribly wrong for them. They hired someone with poor management skills but good technical skills (i.e. the Poor People Person - bad interpersonal skills). I have seen others hire the best available that applied to the job. Doesn't mean they got the best hire, but were stuck with picking the best of who had applied to the job. A few companies got it right. They either hired an experienced techie with good people skills and trained them up in the way they wanted them to be or chose someone who had a mix of both technical and managerial positions in their resume so this CISO position was not their first rodeo.
I feel that if someone wants to move to the CISO role they need to have good to great people skills combined with some technical background. Someone who just has a theoretical background but no real hands-on experience, I feel, is someone who may be ill prepared for the job. I have seen people who espoused ideas that sounded great on paper but failed spectacularly when implemented. Example: Great disaster recovery process, but the DR location was located just 10 miles from HQ. If a disaster took out the building most people would probably not be able to get the disaster recovery site either.
So start with people skills. Learn how to make things happen. Learn customer service. Learn how to play the political game or at least know the rules of how it is played. Learn management skills. Take management roles where you are, even if it means taking on additional duties without added pay.
I feel the author has valid points but I don't think it has to be an all or nothing proposition.
In a show of hands at the 2017 Secure Summit in London on being asked who aspired to be a CISO, only one or two out of an audience of a couple of hundred put their hands up. They were not the seasoned grey haired folks.
Nevertheless it's not such a stark choice as presented in the article; technical vs. leadership. The key question is to what extent would you be comfortable being in a role in which you're a C level exec in title only, without a seat on the Board of Directors, working in a legislative and regulatory environment in which the CEO and CFO are legally accountable, call the shots and may leave you in a morally and ethically questionable position from month to month. Would you be comfortable with putting a gloss on the truth or even being the fall guy if a breach occurs on your watch; a breach you've been given insufficient resources to prevent, not that all are foreseeable or preventable anyway. CISOs, even competent ones, get thrown under the bus from time to time. So it's really a question of how resilient you are.
I think a lot of it depends on the size of the enterprise. While a Fortune 500 CISO may be more management/leadership, a smaller business may require a more balanced technical/leadership approach. You absolutely have to give up some technical things to move into a leadership role, you just don't have enough hours to do both, and you have to spend some of those hours developing the skills of the people around you. To do that, you can't always try to learn the new thing and have the answer any more, you need to trust others to. That doesn't mean you can't keep up some skills, maybe focus a little more, or look toward the horizon more (where you should be looking anyway, as a leader) where the technology isn't as developed, and doesn't require as much detailed knowledge, since it doesn't exist yet. In the end, you have to follow what you really want, and what you are good at. I recall a scene a long time ago on the show the West Wing. President Bartlett says to Josh Lyman, "The difference between you and me is that I want to be the guy, and you want to be the guy the guy depends on". Which do you want to be?