If you're a Security professional looking to become a CISO, then you've come to the right place. This five-step guide is your plan of action...
December 13, 2022
8m read
The 5-Step Action Plan to Becoming CISO The Path to Becoming CISO Isn't Always Linear
There isn’t one definitive path to becoming a CISO.
Don’t be discouraged if your career path isn’t listed above or isn’t “typical.” If your end goal is to become a CISO, then you’ve come to the right place. Keep reading for a comprehensive action plan which will guide you from your current role in IT, IS or Cybersecurity and on the path to becoming a world-class CISO.
Step 1:
Becoming a CISO is About Changing Your Focus
The Difference Between IS, IT or Cybersecurity Roles and a CISO Role: Tactical vs. Strategic
Making The Shift from Security Engineer to Future CISO
The most common mistake that security engineers make when looking to become CISO is focus. To be successful as a security engineer the focus is on problem hunting. As a top-tier security professional, you must be the best at identifying and fixing vulnerabilities others can’t see.
How to Think and Act Like a Future CISO
While security engineers identify problems, CISOs translate the problems that security engineers find into solutions for C-suite, the CEO and the board. To be successful in the CISO role, you must be able to transition from problem-solver to a solution-oriented mindset.
A common mistake when transitioning to CISO is by leading with what’s most familiar – and selling your technical competency. While understanding the tech is crucial when interfacing with the security team, it’s not the skillset you must leverage when speaking with C-suite and boards. C-suite and boards care about solutions – not problems. They must feel confident that you understand the business with complete clarity, can identify cyber solutions, and translate them in terms of business risks, profit and loss. To be successful in securing your new role, focus on leveraging cyber as a business enabler to help the business reach its targeted growth projections.
The Skillset Necessary to Become a CISO
Translate technical requirements into business requirements
Brief executives, VPS, C-level, investors and the board
Understand the business you’re in on a granular level(The company, its goals, competitors, yearly revenue generated, revenue projections, threats competitors are facing, etc.)
Excellent communication: Send effective emails and give impactful presentations
Balance the risk between functionality and security by running risk assessments
Focus on increasing revenue and profitability in the organization
Focus on a solution-oriented mindset, not an identification mindset
[boxlink link="https://www.catonetworks.com/resources/cato-sse-360-finally-sse-with-total-visibility-and-control/?utm_source=blog&utm_medium=top_cta&utm_campaign_sse360"] Cato SSE 360: Finally, SSE with Total Visibility and Control | Whitepaper [/boxlink]
Step 2:
Getting Clear on the CISO Role: So, What Does a CISO Actually Do?
Learn The CISO’s Role and Responsibilities (R&R)
The CISO is essentially a translator between the security engineering team and C-suite.
Step 3:
Set Yourself Up for Success in the Role: Measure What Matters
What you measure in your role will ultimately determine your career success. Too often CISOs set themselves up for failure by playing a zero-sum security game.
This means any security incident = CISO gets fired = No one wins
But successful CISOs know that cybersecurity is a delicate balancing act between ensuring security and functionality.
100% security means 0 functionality, and vice versa
Strategic CISOs understand this and set themselves up for success by working with the CEO and board to minimize exposure and establish realistic KPIs of success.
Establishing Your Metrics of Success in the CISO Role
What makes CIOs so successful in their role?
A single metric of success: 5 9s.
This allows CIOs to focus on the R&R necessary to achieve this goal.
Suggested CISO KPI & KPI Setting Process
Run an analysis to see how many attempted attacks take place weekly at the organization, to establish a benchmark.
Provide an executive report with weekly attack attempt metrics (i.e., 300.)
Create a proposed benchmark of success: i.e., preventing 98% of attacks.
Get management signoff on your proposed KPIs.
Provide weekly reports to executives with defined attack metrics: attempted weekly attacks + prevented.(Ensuring security incidents are promptly reported to C-suite and board.)
Adjust KPIs as necessary and receive management signoff.
Step 4
Mind the Gap: Bridge Your Current Technical and Business Gaps
Recommended Technical Education
GIAC / GSEC Security Essentials
CISSP (Certified Information Systems Security Professionals)
OR CISM (Certified Information Security Manager) CertificationOR CISA (Certified Information System Auditor) Certification
SASE (Secure Access Service Edge) Certification
SSE (Security Service Edge) Certification
Recommended Technical Experience
At least 3-5 years in IS, Cybersecurity, Networking or IT with a strong security focus
Recommended Business Education
An MBA or equivalent business degree, or relevant business experience
CPA or accounting courses
Recommended Business Experience
Approximately 3-5 years of business experience
Business Operations, Business Management, SOC Manager, or roles that demonstrate your business, management and leadership acumen
Recommended Understanding Of:
Industry security standards including NIST, ISO, SANS, COBIT, CERT, HIPAA.
Current data privacy regulations, e.g., GDPR, CCPA and any regional standards.
Step 5:
How to Get a CISO Job with Limited or No Previous Experience
It’s the age-old dilemma – how do I get a job without relevant experience? And how to I get relevant experience without a job?
Take On a Virtual CISO Role at a Friend or Family Member’s Small Business
Offer 3 hours of virtual CISO service a week.
In exchange, ask for 3 recommendations a month and to service as a positive reference.
Can you receive mentorship from an existing CISO?
Do friends, family or former colleagues know any CISOs you can connect with? Start there.
Reach out on LinkedIn to CISOs and invite them to coffee or dinner.Ask them if you can meet up and receive mentorship over dinner once a month (they pick the location, and you pay.)
Remember: It’s a numbers game. Don’t get discouraged after a few “no's” or a lack of responses.
Getting Your First CISO Job: Your Action Plan for Career Success
Applying For Jobs
Your resume has one and only one goal – to get you the interview.Week 1:
Send out 20 resumes for CISO jobs with your existing resume
How many respond and request interviews (within 2 weeks)?
If you get under a 50-70% success rate, you need to revise your resume.
Your goal is to repeat this process until you get a minimum of 10 positive responses for every batch of 20 resumes you send out (giving recruiters 1.5 - 2 weeks to respond.) Be ready to adapt and adjust your resume as many times as necessary (using the defined process above,) until you hit your benchmarks of success.
Revising your Resume for Success
If you’re not hitting a 50-70% interview rate on your resume, it’s time to revise your resume.But what do you change?
The Most Common Mistakes Found on CISO Resumes (Don’t Fall into a Trap)Your resume should not only highlight your technical abilities but your business acumen.Review the strategic skills highlighted earlier and emphasize those (in addition to any other relevant educational, professional, or career achievements.)
Have you briefed executives and boards?
Have you given effective presentations?
Have you created risk management programs and aligned the entire organization?
Do you lead an online forum on Cybersecurity best practices?
Think of ways to highlight your business and leadership savvy, not just your de facto technical abilities.
The Interview Rounds
The CISO interview process is generally between 5-7 interview rounds.
Remember:The goal of your first interview is only to receive a second interview. The goal of your second interview is to receive a third interview, and so on. Be prepared for interviews with legal, finance, the CEO, CIO, HR, and more.
You’ve Got This: The Road to Landing Your First CISO Role
Abraham Lincoln once said, “the best way to predict the future is to create it.” And we hope this guide gives you a running start towards your new and exciting future as a CISO. We believe in you and your future success. Good luck! And feel free to forward this guide to a friend or colleague who’s hunting for a new CISO role, if you feel it’s been helpful.
Life After Landing the Coveted CISO Role
Congrats! You’ve Been Hired as a CISO
You did it. You’ve landed your first CISO role. We couldn’t be prouder of the hard work and dedication that it took to get you to this point. Before you begin in your new role, here are a few best practices to guide you on your way to career success.
Ensuring Your Success in the CISO Role: Things to Keep in Mind
After speaking with 1000s of CISOs since 2016, it’s important to keep the following in mind:
Your Network Security Architecture Will Determine Your Focus and Impact
No matter the organization or the scope, your CISO role is dependent on meeting if not exceeding your promised KPIs. So, you’ll need to decide, do you want a reactive or a proactive security team? Do you want your team to spend their time hunting and patching security vulnerabilities and mitigating disparate security policies? Or devoted to achieving your larger, revenue-generating missions through cybersecurity? Accordingly, you’ll need to ensure that your network security architecture minimizes your enterprise’s attack surface, so you and your team can devote your attention accordingly.
To achieve this, your team must have full visibility and control of all WAN, cloud, and internet traffic so they can work on fulfilling your business objectives through cybersecurity. Otherwise, your function will revert to tactical, instead of focusing on serving as a business enabler through cybersecurity.
Cato SSE 360 = SSE + Total Visibility and Control
Disjointed security point solutions overload resource constrained security teams, impacting security posture, and increasing overall risk due to configuration errors. Traditional SSE (Security Service Edge) convergence mitigates these challenges but offers limited visibility and control that only extends to the Internet, public cloud applications, and select internal applications. Thus, leaving WAN traffic uninspected and unoptimized. And an SSE platform that isn’t part of single-vendor SASE can’t extend convergence to SD-WAN to complete the SASE transformation journey.
Cato Networks’ SSE 360 service will allow you to solve this. SSE 360 optimizes and secures all traffic, to all WAN, cloud, and internet application resources, and across all ports and protocols. For more information about Cato’s entire suite of converged, network security, please be sure to read our SSE 360 Whitepaper. Complete with configurable security policies that meet the needs of any enterprise IS team, see why Cato SSE 360 is different from traditional SSE vendors.
Why do you need a SASE RFP? Shopping for a SASE solution isn’t as easy as it sounds… SASE is an enterprise networking and security...
The Only SASE RFP Template You’ll Ever Need Why do you need a SASE RFP?
Shopping for a SASE solution isn’t as easy as it sounds... SASE is an enterprise networking and security framework that is relatively new to the enterprise IT market (introduced by Gartner in 2019.) And less than 3 years young, SASE is often prone to misunderstanding and vendor “marketecture.” Meaning: If you don’t ask the right questions during your sales and vendor evaluation process, you may be locked into a solution that doesn’t align with your current and future business and technology needs.
A Quick Note about Cato’s RFP Template
Do a quick Google search and you’ll find millions of general RFP templates. That being said, Cato’s RFP template only covers the functional requirements of a future SASE deployment. There are no generic RFP requirements in our template, like getting the vendor details of your vendor companies.
So, What Must a SASE RFP Template Include?
Cato Networks has created a comprehensive, 13-page SASE RFP template, which contains all business and functional requirements for a full SASE deployment. Just download the template, fill in the relevant sections to your enterprise, and allow your short-listed vendors to fill in the remainder. While you may see some sections that are not relevant to your particular organization or use case, that's all right. It’s available for your reference, and to help you plan any future projects.
A Sneak Peek at Cato’s RFP Template
If you’d like a preview of Cato Networks’ SASE RFP template, we’re providing you with a high-level outline. Take a look at this "quick-guide", and then download the full SASE RFP template to put it into practice.
[boxlink link="https://www.catonetworks.com/resources/sase-rfi-rfp-template/?utm_source=blog&utm_medium=top_cta&utm_campaign=sase_rfp_template"] SASE RFI/RFP Made Easy | Get the Template [/boxlink]
1. Business and IT overview
You’ll describe your business and IT. Make sure to include enough details for vendors to understand your environment so they can tailor their answers to your specific needs and answer why their solution is valuable to your use case.
2. Solution Architecture
Understand your proposed vendors architecture, what the architecture includes, what it does and where it is placed (branch, device, cloud.) Comprehending vendor architecture will allow you to better determine how a vendor scales, how they address failures, deliver resiliency, etc.
3. Solution Capabilities
Deep dive into your proposed vendor functionalities. The idea is to select all selections relevant to your proposed SASE deployment, and have the vendor fill them out.
SD-WAN
Receive a thorough exploration of a proposed vendor’s SD-WAN offering, covering link management, traffic routing and QoS, voice and latency-sensitive traffic, throughput and edge devices, monitoring and reporting, site provisioning, gradual deployment / co-existence with legacy MPLS networks.
Security
Understand traffic encryption, threat prevention, threat detection, branch, cloud and mobile security, identity and user awareness, policy management and enforcement, as well as security management analytics and reporting.
Cloud
Determine vendor components needed to connect a cloud datacenter to the network, amongst other areas.
Mobile (SDP / ZTNA)
Understand how vendors connect a mobile user to the network, their available mobile solutions for connecting mobile users to WAN and cloud, and other key areas.
Global
Explore your vendor’s global traffic optimization, describe how they optime network support to mobile users, and more.
4. Support and Services
Evaluate service offering and managed services. This is the perfect time to ask and understand whether your proposed vendor uses “follow-the-sun" support models and decide whether you want a self-managed, fully managed, or co-managed service.
Support and Professional services
Understand if vendors abide by “follow-the-sun,” support, their hours of support and more.
Managed Services
Get a sense of vendor managed services in several key areas.
Next Steps: Get the Full SASE RFP / RFI Template
Whether you’re new to SASE or a seasoned expert, successful SASE vendor selection starts with asking the right questions. When you know the correct questions to ask, it’s easy to understand if a SASE offering can meet the needs of your organization both now and in the future. Download Cato Network’s full SASE RFP / RFI Made Easy Template, to begin your SASE success story.
Maybe you’re an IT manager or a network engineer. It’s about a year before your MPLS contract expires, and you’ve been told to cut costs...
IT Managers: Read This Before Leaving Your MPLS Provider Maybe you’re an IT manager or a network engineer. It’s about a year before your MPLS contract expires, and you’ve been told to cut costs by your CFO.
“That MPLS – too expensive. Find an alternative.”
This couldn’t have come at a better time...
Employees have been blowing up the helpdesk, complaining about slow internet, laggy Zoom calls and demos that disconnect with prospects. Naturally, it’s your job to find a solution...
There actually could be several reasons why it’s time to pull the plug on your MPLS, or at least, consider MPLS alternatives.
1. Get crystal clear on your WAN challenges:
Do any of these challenges sound familiar?
A. You’ve been told to cut costs
It’s no secret that MPLS circuits cost a fortune – often 3-4x the price of MPLS alternatives (like SD-WAN,) for only a fraction of the bandwidth. But the bottom line isn’t the only factor to take into consideration. Lengthy lead-times for site installations (weeks to months,) upgrades, and never-ending rounds of support tickets must all factor into the TCO of your MPLS. In short, MPLS is no longer competitively priced for today’s enterprise that needs to move at the speed of business.
B. Employees constantly complain about performance
While traditional hub-and-spoke networking topology comes with its advantages, when users backhaul to the data center they clog the network with bandwidth-heavy applications like VOIP and file transfer. Multiplied by hundreds or thousands of simultaneous users and you choke your network, creating performance problems which IT is tasked to solve. Wouldn’t it be nice if IT was free to solve business-critical issues instead of recurring network performance issues?
[boxlink link="https://www.catonetworks.com/resources/what-telcos-wont-tell-you-about-mpls/?utm_source=blog&utm_medium=top_cta&utm_campaign=wont_tell_you_about_mpls"] What Others Won’t Tell You About MPLS | EBOOK [/boxlink]
C. You’re “going cloud” and migrating from on-prem to cloud DCs and apps
Migrating from on-prem legacy applications to cloud isn’t generally an “if” but a “when” statement. And the traditional hub-and-spoke networking architecture creates too much latency on cloud applications when the goal is ultimately improved network performance. Additionally, optimizing and securing branch-to-cloud and user-to-cloud access can’t be done efficiently with physical infrastructure, instead of requiring advanced cloud-delivered cybersecurity solutions like SWG, FWaaS and CASB.
D. IT now needs to support work from anywhere, with no downtime
Prior to COVID, work from anywhere was more the exception, rather than a rule. In the “new normal,” enterprises need to the infrastructure to support work from the branch, home, and everywhere else. Traditional remote-access VPNs weren’t designed to support hundreds, or thousands of users simultaneously connecting to the network, while supporting an optimum security posture, like ZTNA can.
So, should you stay with MPLS or should you go?
Ultimately, it’s time to decide whether to stick with your incumbent MPLS provider or consider the alternatives to MPLS...
Whether it’s cost, digitization, performance or secure remote access - is your MPLS “good enough” to support today’s hassles and headaches (not to mention tomorrows?)
2. You’ve decided to look for MPLS alternatives: Do all roads lead to SD-WAN?
You’ve decided that your MPLS isn’t all it's cracked up to be. Now what?
While an SD-WAN solution seems like the natural choice, SD-WAN only addresses some of the challenges that you’ll inevitably face at a growing enterprise.
True, SD-WAN will lower the bill and optimize spend by leveraging internet circuits’ massive capacity and availability everywhere.
However, SD-WAN was designed to optimize performance for site-to-site connectivity, with architecture that isn’t designed to support remote users and clouds.
Additionally, SD-WAN's security is basic at best, lacking the advanced control and prevention capabilities that enterprises need to secure all clouds, datacenters, branches, users and, appliances.
Not to mention, adding SD-WAN to existing appliance sprawl is only going to further complicate your network management, adding more products to administrate, and more hassle surrounding appliance sizing, scaling, distribution, patching and upkeep.
And who needs that headache?
So, how do you solve all the above four challenges, while upgrading your networks and achieving an optimal security posture that allows your enterprise to grow, scale, adjust and stay prepared for “whatever’s next”?
3. Ever Heard of SASE?
No, SASE isn’t just a buzzword or industry hype. It’s the next era of networking and security architecture which doesn’t focus on adding more features to the complicated pile of point solutions, but targets “operational simplicity, automation, reliability and flexible business models,” (Gartner, Strategic roadmap for networking, 2019.)
According to Gartner, for a solution to be SASE, it must “converge a number of disparate network and network security services including SD-WAN, secure web gateway, CASB, SDP, DNS protection and FWaaS,” (Gartner, Hype Cycle for Enterprise Networking 2019.) Gartner is extremely clear that these requirements aren’t just “nice-to-have,” but non-negotiables; the solution must be converged, cloud-native, global, support all edges, and offer unified management.
SASE actually combines SD-WAN and security-as-a-service, managed via a single cloud service, which is globally distributed, automatically scaled, and always updated.
So, instead of opting for more network complexity with SD-WAN, plus all the setup, management, sizing, and scaling challenges that come with it – why not consider SASE?
It’s time to think strategically: Move beyond the limitations of SD-WAN
No matter if you need to solve one, two, three or all four of the above WAN challenges, SD-WAN is a short-sighted point solution to any long-term organizational challenge.
This means that only a SASE solution with an integrated SD-WAN which includes a global-private backbone (over costly long-haul MPLS,) ZTNA (to serve remote access users and replace legacy VPN) and secure cloud access (which allows you to migrate to the cloud,) allows you to successfully grow the business while maintaining your sanity.
If you’re interested in replacing your MPLS beyond the limits of short-sighted solutions like SD-WAN, then you’ll love Cato SASE Cloud.
Check out this Cato SASE E-book to understand:
Why point products like SD-WAN won’t solve long-term architectural problems
What you need to look for in a SASE solution
Why Cato is the only true SASE solution in enterprise networking and security
