Security Careers: How To Move Up

Q: My career goal is to become a CSO within 10 to 12 years. I currently have an opportunity to take a government contractor position, but it is not a management-level position. It is an intrusion-detection analyst position. It would allow me to obtain a top-secret Department of Defense security clearance in about three years. Will top-secret (TS) clearance help me when I seek a CSO position in the future?

A: While a TS clearance is always important, relevant and useful, it is not necessarily a requisite to becoming a top-level security advisor. What might be more important is to expand your horizons by accepting the most challenging and difficult tasks in your current company that will allow you to manage and lead security operations, threat analysis and attack-prevention areas.

Q: I’ve been in the business for more than 10 years, but I am having a tough time breaking into an upper-management position. What can you suggest that will give me that edge?

A: Education and performance seem to be the constant keys to success. The old adage “grow where you are planted” seems important here. You should attempt to excel at all opportunities to show your initiative, leadership and responsibility. The ability to write, recommend and lead successful courses of action will put you where you want to be.

Q: What are the distinguishing characteristics you look for in leading information security personnel?

A: The ability to analyze threats and to ensure their defeat is the number-one distinguishing characteristic. There is no substitute for results. In your world, results are measured by the ability to defeat incidents before they happen. You should also continue to seek any opportunity to participate in any forum that will allow you to see the latest methods and best practices in information security. The ability to clearly, concisely, concretely and briefly express your point of view on information security matters will also highlight your capabilities.

Q: Will CISOs have upward career potential, and if so, what experience and capabilities can inflect those careers? How much lateral movement will be required for a CISO to take the CIO slot? Or will CISOs find more success in other career paths in the corporation, such as audit?

A: The role of CIO is far more complex, typically, than the role of CISO. The move from CISO to CIO is not necessarily a lateral move, but rather an upward move in most organizations. Candidates for CIO roles will have to be highly qualified in a number of information systems that support businesses. Any experience that you can gain outside the information security area will be of great value.

Q: I received my CISSP last spring and have more than 25 years of experience in the insurance industry. Do you feel a CSO position is an appropriate and realistic career goal? What is the future outlook for the CSO role?

A: The future is bright for senior security professionals. The world we live in will continue to be an inherently dangerous place, and in the long run, those businesses that can outmaneuver the threats against them will be the winners. Those moves will have to be led by bright, talented leaders in the security field. As for transitioning from CISSP to CSO, you will have to gain practical experience, which includes physical security, protection operations, threat analysis and business-continuity planning.

Q: Should corporate security professionals consider obtaining an MBA to enhance their credibility and reputation in the eyes of senior management?

A: One of the key attributes that senior business management admires in security professionals is the ability to understand not only the business they are in but also broad business concepts. An MBA certainly puts you in a position to do that. The better you understand business drivers and value to shareholders, the more effective you can be as a CSO…and the more credible you will be to your business-unit leaders.