The journey to CISO

This week's LifeJourney mentor of the week, Malcolm Harkins, CISO, Cylance started out as an economics major hoping to pursue a career in international finance

decisions confused mixed messages dircetion pathway
Credit: Thinkstock

I ended up writing about cybersecurity after nearly 20 years of teaching high school English. Many who are in this field, particularly the leaders of the industry, did not arrive at their positions via one particular path.

Cybersecurity firm Digital Guardian created an infographic outlining the anatomy of a CISO. They found these commonalities of the typical CISO of a Fortune 100 company:

  • Overwhelmingly male (89%)
  • 85% had at least a Bachelor's degree. Another 40% had a Master's degree, and a few had a PhD or JD as well.
  • The top three fields of study for these CISOs were business, information technology/information security, and computer science, in that order.
  • 80% of Fortune 100 CISOs have held their current position for less than five years
  • Fortune 100 security leaders hold an average of 2.86 certifications with more than half holding a CISSP certification and 22 of holding a CISM certification. 

Salo Fajer, CTO at Digital Guardian, talked about what these numbers mean for those who want to know where to begin.

"The infographic shows a strong background in IT and IT security as a practitioner. Understanding security from that perspective is important for a CISO. The combination of the business background and an understanding of security affords the knowledge and experience to balance security and risk with the productivity of the business," Fajer said.

This week's LifeJourney mentor of the week, Malcolm Harkins, CISO at Cylance, is one of those CISOs who entered into privacy, risk, and security through the business world. He shared the story of his path to his current position and offered some sage advice for those just starting out.

[ MORE IN THIS SERIES: STEM mentors put students on path to careers in security ]

In his second year of graduate school at UC Davis, Harkins worked to recruit companies to recruit students into their firms. One of those companies was Intel. Encouraged to model the process, Harkins went on an interview with Intel, though he had no real sights on a job with them. He was earning an MBA in finance and accounting, but that one interview changed the course of his career.

What started as a job negotiating computing contracts for Intel led him to IT finance where he grew a curiosity, purpose, and passion for information technology risk dynamics.

"Along the path, I put my arms around anything risk related, working on security and privacy for Intel services," Harkins said. He developed a reputation as a sort of "Malcolm in the middle--the Rubics Cube of risk" because of his intellectual curiosity. 

When a friend called and said, "I need you," Harkins found a new mission with Cylance, though he was concerned that he didn't know anything about security. In response to that fear, he was told, "I have a bunch of guys here that know security, but don't know about business."

At the center of all the choices Harkins has made, particularly in his decision to become a LifeJourney mentor, is his hope and promise that technology can change the world. "I have a growing concern that security and privacy are a corporate social responsibility. If we carry the current risks forward, I am fearful of the impacts those risks can have," Harkins said.

What is a growing truth is that every company is a technical company, Harkins said. "Risk is temporal, so we need to look at cybersecurity as it applies to technology not just 'tech' itself," he continued.

For those who are starting out today, there are new and important skills for the 21st century CISO or CIO. Some readers might be familiar with the T-shaped individual who has a breadth of business and a depth of technical knowledge. Harkins said, "What we need now are Z-shaped candidates who have the breadth of technical and business acumen and a depth of knowledge in risk, security, and controls." 

All risks, Harkins said, are technology based and will have a direct impact on the business. "The way you mitigate risk is through controls," he continued.

What he hopes to instill in the children he mentors is the need for them to possess integrity, trust, values, social responsibility, and professional accountability. He has found that the more he is out on the front lines talking with kids and connecting with them through LifeJourney's online platform, the more curious they become about the field of cybersecurity.

This article is published as part of the IDG Contributor Network. Want to Join?

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.