Career roadmap: CISO

The position of chief information security officer (CISO) has been steadily rising in importance and visibility for several years. That’s due in large part to the fact that cybersecurity has become a much bigger priority for many organizations in the wake of highly publicized data breaches that caused a lot of damage for the attacked companies.

CISOs are the senior-level executives within organizations responsible for creating and maintaining the cybersecurity strategy and program to ensure that all information assets and technologies are sufficiently protected against attacks from inside and outside the enterprise.

In addition to overseeing decisions regarding security tools and services, these executives also manage security policies and procedures, often in collaboration with CSOs, CIOs and other senior executives.

Other responsibilities might include creating and maintaining disaster recovery and business continuity plans, helping to coordinate overall risk management, and overseeing an information security operations center.

CISOs carry the burden of responsibility for securing some of a company’s most valuable resources: its systems, networks, and data. Given the crucial role of information, applications, and connectivity in today’s business environment, anything that goes wrong with any of these resources for any reason can be a major problem.

Adding to the pressure and complexity of the job are the growth of cloud computing services, the rise of mobile devices and apps, the emergence of the internet of things (IoT), and the implementation of a host of data privacy regulations over the past several years.

Employing a CISO or similar top-level cybersecurity executive has become a standard practice for companies, government entities and nonprofit organizations. The Global State of Information Security Survey 2018, a joint survey conducted by CIO, CSO, and PwC, said 85 percent of organizations had a CISO or equivalent in place.

The role has become so important that many CISOs now report directly to CEOs or to boards of directors. CISOs not only need to have strong knowledge of security technologies and services, but a good understanding of business processes and goals, and corporate culture.

What does it take to become a CISO? To find out, we spoke with Deborah Blyth, CISO for the State of Colorado.

Education/early life

Blyth began working at a full-time job right out of high school, and later went back to college as an adult. While still working full time, she was able to graduate summa cum laude from Regis University in 2007, earning a bachelor of science degree in computer networking. She has always wanted to return to school for a master’s degree, but has not yet had the opportunity.

Deborah Blyth

“I was probably somewhat pre-destined for an IT career,” Blyth says. “My father owned a computer consulting business, and so I was exposed to computers at an early age and was taught to use them at home, before they had many computer classes in school.”

Blyth’s father brought home a personal computer one summer when she was in her early teens. “This was long before personal computers were common in homes,” she says. “To keep me busy over the summer, he would give me data entry tasks, and also buy me Basic programming books and assign me programs to write.”

When Blyth’s father got home at night, he would check her programs and help her troubleshoot and get them running. “I began to experience the excitement of writing code that could make the computer do different things,” she says. “I also enjoyed the challenge of trying to determine what went wrong and how to fix it.”

Blyth took a bit of a career detour while she was a senior in high school, however. Having a light class schedule, she went to work nearly full time at a local bookstore. “I loved working in the bookstore, and thought I would make a career in the bookstore business!” she says. “I ended up managing a subsidiary of the bookstore, which was a computer software retailer. It was there that my passion and interest in computers was reignited and I realized that I really belonged in an IT career.”

Job history

While managing a computer software retailer before she attended college, Blyth applied for an entry-level position as a tape operator at Covia, now Travelport, a company that makes technology products for the travel industry.

“I was thrilled when I got the job, and looked at it as an opportunity to get my foot in the door at a great company with endless options for an IT career,” Blyth says. “I thought I’d work my way into a programming career.”

As a tape operator Blyth worked the midnight shift, and when she got off work in the morning she would shadow the automation team and learn how it automated processes on the mainframe computer to be more efficient and resilient. She learned about scripting and other automation functions.

That helped Blyth make an easy transition into her next career move.

When the company needed someone to build automation and specialized monitoring for its UNIX platforms, she was selected for the role. The company provided significant training for her to become a UNIX system administrator, and she found that she enjoyed that role even more than her automation role.

After several days of firewall outages, the network team was rebuilding the firewall and discovered that it was really a UNIX system running the application. “At that point, they turned over the administration of the firewall to me,” Blyth says. “Realizing it to be an important security device, and having no security training, I went to the local bookstore and bought every book they had on firewalls.

Blyth studied the books and became passionate about security. Less than a year later she transferred into the information security team, taking the administration of the firewall application with her. From that point on, Blyth knew she would make information security her career focus.

Later Blyth became the manager and then the senior manager of the team. One of her proudest achievements while working at Travelport was creating the business case to get executive support and budget for a two-year effort to achieve compliance with the Payment Card Industry Data Security Standard (PCI DSS).

TeleTech (now TTEC), a business process outsourcing provider, in 2009 offered Blyth a position as director of its information security program. The company needed help scoping its PCI DSS effort to ensure that all appropriate systems were included and were meeting the security standard. During her five years at TTEC she was promoted to executive director of the program.

In 2014, the State of Colorado posted an opening for the state CISO post. “The more I read that job description, the more I was sure they were looking for me,” Blyth says. “I couldn’t think of any more rewarding career than doing what I love, in service to the residents of the state that I love.”

Blyth was hired for the position, and as CISO of the state has been successful at garnering support from the legislature, the Office of State Planning and Budgeting, agency executive leadership, the state CIO and the governor.

“I have an amazing team that has delivered on all of the strategic initiatives I’ve put forth during my tenure,” Blyth says. “As a result, and because of our stakeholders faith in us, we have been able to grow the security budget to more than double what I started with.”

Memorable moments

As a UNIX system administrator, Blyth renamed one of her colleague’s accounts to “hacker,” and was reasonably confident that everyone on the team knew who the hacker account belonged to.

“However, I got a frantic phone call one day from another colleague telling me that a hacker had gained access to one of our systems,” Blyth says. “When I asked him how he knew there was a hacker on the system, he told me to display the current users and that I would see the hacker clearly logged onto our system. Simply asking our ‘hacker’ colleague to log off removed the threat.”

One of the most memorable shows of support Blyth ever received was from then Governor John Hickenlooper in 2016.

“I was presenting to the governor and his cabinet our plan to implement two-step verification into our Google platform across all state agencies,” Blyth says. The governor told his cabinet that he expected all agencies to implement the technology, and that he had already done so.

“Then the governor turned to me and said with a smile, ‘it’s not like I didn’t notice it, Debbi!’” Blyth says. “He proceeded to tell the cabinet that the extra step was worth it for the extra security it would provide. His support enabled us to implement two-step verification for every agency, and in only 90 days.”

Skills and certifications

While Blyth worked at Travelport there was a director who realized it would bring credibility to the security team if everyone was certified in an area of security. “With his guidance and assistance, most of us became a Certified Information Systems Security Professional [CISSP],” she says. “Studying for the certification on my own time and achieving that goal was exactly the push I needed to finally enroll in college and get a four-year degree.”

When Blyth started college in 2003, it was with the realization that she needed more business knowledge, especially if she wanted to grow into an executive role. “While I was very adept at the technical aspects of security, I needed to learn more about financial management, strategy and stakeholder alignment, leadership and people management, in order to be successful in a security leadership role,” she says.

She recommends that cybersecurity professionals and others invest the time to earn certifications. “It’s a good way to demonstrate your commitment to the profession, and that you have some base level of knowledge,” she says.

Biggest inspiration

“My father has always been a great inspiration,” Blyth says. “Not only is he technical, but he’s personable; people like him. He inspires trust and demonstrates that he is worthy of that trust, which is so critical when growing a business or growing a practice within a business. And my mom was always very encouraging to people. She had a natural people-leadership style that I had the opportunity to learn from.”

Blyth has been fortunate to have managers and leaders who served as mentors in her career. She recalls one executive who coached her through a difficult decision that she needed to make as a manager.

“He told me that if I didn’t make the decision it would be made for me, so I needed to step-up and own the decision,” Blyth says. “And while it was a painful decision that I didn’t initially want to own, it was a real growth opportunity which helped me to emerge as a leader during a time of uncertainty and transition.”

The executive’s leadership encouraged Blyth to look at everything as a growth opportunity — every difficult transition, every challenge, every perceived failure. “These are the best opportunities from which to learn and to grow,” she says. “It makes struggling through the difficult times doable, knowing you’ll emerge better prepared in the future.”

Advice for others taking a similar path

“Be a life-long learner,” Blyth says. “Never miss an opportunity to learn something new, because you never know how that piece of new knowledge might help you in your next role or even in your next decision.”

Cybersecurity professionals should expect to invest their own time in learning new skills, she says, because jobs will not provide all of the training needed.

“One tip that really worked for me: get your foot in the door at a great company, or with state government, and then work hard and show them how capable you are at learning and demonstrating new skills,” Blyth says. “As you become proficient in your current role, new opportunities will be presented to you and will allow you to shape your career to do what you enjoy the most.”

After five years as Colorado CISO, Blyth still enjoys what she is doing and has not given much thought to what she wants to do next. In her current role she has numerous opportunities to interact with students and individuals who are early in their careers, and to talk to them about considering a career in cybersecurity. She also enjoys interacting with peers across the state and across the nation, to learn about their programs and to share the successes and lessons her team has learned.

“Every year, my goal is to encourage more people to consider this career path, and to provide more assistance or encouragement to my peers across the nation,” Blyth says.