What is a CISO? And what it takes to become one

The chief information security officer (CISO) is the executive responsible for an organization's information and data security. Here’s how one CISO landed his first job in the position.

ciso cover
Thinkstock

CISO vs. CSO

The chief information security officer (CISO) is the executive responsible for an organization's information and data security. While in the past the role has been rather narrowly defined along those lines, these days the title is often used interchangeably with CSO and VP of security, indicating a more expansive role in the organization.

Still, according to the 2018 State of the CIO survey, there remain some notable differences in reporting relationships, which may speak to an organization's security maturity. CSO's were more likely (40%) than CISOs (17%) to report ddirectly to the CEO.

3 who is in charge of the person in charge IDG / Getty Images

A CISO typically has a technical information security or IT risk background, but the path that leads to the role can vary greatly. Here’s how one CISO landed his first job in the position.

How to become a CISO

Jeff Foltz did not set out to be an information security professional. He arrived at his current role as CISO at Fidelity National Financial by making the most of a series of opportunities and constantly building his skillset. His degree in psychology and philosophy would also prove more useful in his CISO job than one might think.

After graduating from Kent State College in 1994, Foltz found himself gravitating toward technology. He began his career in the IT department of a graphic arts and supply company. There he provided technical support, wrote reports and performed systems administration for computing, networking and telecom systems.

“It was a one-stop shop that forced me to multi-task and quickly learn to adapt to challenges. I also needed to be able to speak technically with peers and translate that to customer-friendly messages that could be easily understood,” Foltz says.

At that time, there was little to no “information security” as a discipline because there wasn’t much of a threat landscape. “Connectivity to the internet was just dawning with systems like CompuServ, AOL and dial-up connectivity,” Foltz says. “Viruses were limited in nature.”

In 1996 he accepted a position at a local bank, starting out as a field service LAN administrator whose main responsibility was to support the WAN and branch systems. The bank allowed him to pursue certifications in a variety of vendor platforms to stay current with the evolving technological aspects of business and commerce.

ciso chart 0406 CSO

“I enjoy learning and trying to be a little bit better each day by reaching outside my current comfort zone,” Foltz says. “I learned in college the value of thought and action, and since that time have always followed the philosophy that ‘opportunities present themselves to those who are prepared.’ And as a second-generation Eagle Scout, that motto has served me well in life and as a CISO.”

Over time, the bank purchased other banks and became FirstMerit Bank. During his tenure there, which lasted until 2013, Foltz held a number of positions and responsibilities, eventually becoming the CISO.

“I was fortunate to work for a company that allowed me to build and develop IT skills concurrently,” Foltz says. “I was the administrator for diverse systems such as firewalls, databases, web sites and development. I learned through trial and error the interworking of how each system connected and the strengths and weaknesses of each system.”

As a result, he became a sort of “Renaissance IT man” who was knowledgeable about multiple operating systems, languages, syntaxes and programs.

“I was able to build the platforms, configure and harden the system, write and compile the code, and ensure secure transport and delivery of the various systems I handled,” Foltz says. “This ability provided me opportunities early on to present to the board of directors and executives for new initiatives, and it allowed me invaluable networking opportunities with industry leaders and financial executives at the company.”

Foltz always felt each of these opportunities was a bit outside of his reach and comfort zone. “But I resolved myself to take the opportunity and work at it until I felt that I was successful,” he says.

Around 2004, the information security manager at the bank retired and Foltz was awarded the position. During this time, he focused his career development on information security and business continuity/disaster recovery.

“I immersed myself in all manner of training, both on the IT side and from a management/leadership perspective,” Foltz says. He studied and attended seminars by business leaders, and in 2007 received CISSP certification. He was promoted to senior vice president and CISO, and he worked with others to build out the information security program at FirstMerit.

“During my time as the CISO, the landscape of IT and security was quickly evolving and morphing into what we know today,” Foltz says. ”The threat landscape went from the very loud yet relatively benign ‘I love you’ virus attacks and being sure your AV definitions were up-to-date, to the stealthy Zeus variants of organized crime and SCADA-type nation-state sponsored attacks.”

In 2013, Foltz decided he was ready for the next step in his career as an information security professional, and he accepted a CISO position at Fidelity National Financial (FNF). “FNF has been an amazing opportunity, where I continue to apply the skills and training that I have learned over 20-plus years,” Foltz says. The company “provides unique opportunity to a CISO, due to the diversified portfolio of businesses under its umbrella of companies,” he says.

While technical acumen is still necessary in his current role, it is diminished in importance and replaced with the need to provide strong vision and leadership on multiple fronts.

“I know it is cliché to state that a successful CISO must possess good written and verbal skills, but that is absolutely the case in order to be effective and advance your career to the next level,” Foltz says. “As CISOs, we must be enablers to the business and also promote the value proposition that we offer — both in written format and through dialog and action. In an always-on, connected global network of incoming intel and threats, CISOs must determine quickly how to assess these items, and prioritize and balance actions against the business goals, while doing so safely and securely.”

Foltz says his goal is to help safeguard and protect information in whatever form or capacity. “When I speak at engagements, I like to evangelize not only the corporate side of information security, but also the personal aspects of how to keep one’s individual information safe and secure,” he says.

Today’s CISOs “have to blend a variety of skills — technical, social, psychological, business — that foster cooperation and alignment, because as CISOs we have achieved a necessary and crucial place at the table of executive management to participate in company strategy and management,” Foltz says.

Foltz’s path to becoming a CISO is not that unusual. Typically, a CISO has a technical information security or IT risk background, but the path that leads to that role varies greatly, says Joyce Brocaglia, CEO of Alta Associates, a leading executive search firm specializing in cyber security.

“There are prominent CISOs that present to the board, lead large teams, and are evangelists for their company and are no longer hands on,” Brocaglia says. “For smaller organizations, many CISOs remain hands-on and are still bogged down in the weeds of technology. It truly depends on the maturity of the department, the culture of the organization and the value they place on information security.”

Related:
NEW! Download the Winter 2018 issue of Security Smart