For many professionals in information security, there comes a time when the promotions stop coming at a predictable pace. For most, this happens at the upper end of middle management. This is the point when simple technical competence is no longer enough to earn the next bump in pay. Something more is needed to join the ranks of the executives up in the C suite. There are still many companies of decent size that do not employ a CISO (heck, Target didn’t hire a CISO until two years ago). What that means is a talented manager could be tapped to fill the role if the need was made clear. Here are some ideas on doing this.
Top 5 ways to make the leap from management to executive:
- Change your focus from technology to strategy. If you are known as a tech person in your organization, it’s very unlikely that you would be chosen for an executive role. Start thinking strategically about how your current job impacts the company’s bottom line. You know how important security is to your organization but do you know your company’s strategic vision for the future? Do you know the trends in the industry and how they may affect the company? A couple of well-written emails detailing how security could fit into this broader view could go a long way toward changing how people see you and your role in the organization.
- Learn everything you can about your organization – including the industry. In a recent survey, C-Level executives reported that they did not view even the CISOs of their organizations as peers. You can use this eye-opening data to your advantage by striving to be just as informed as the executives at your company. Truly strategic leaders need as much information as they can possible gather in order to lead effectively. Any chance you have to make decisions on projects, budgets, etc. based on in-depth knowledge of your company and the industry in which it competes should be leveraged in order to show you are more than just a mid-level manager.
- Find ways to have professional face time with the heads of other programs in your organization. A good CISO will be striving to build good relationships with all departments in an organization in order to ensure buy-in for security policies but also to ensure security is top of mind for all the leaders in the company. The more leaders who know you as an effective, forward-thinking team player, the better. Identify the leaders with whom you already work and ask yourself how they see you – as a tech resource or an integral part of their mission? Work to change the answer if it’s the former.
- Find a Mentor and learn from those more experienced than you are. Attend any information security events you are able to and focus on networking. This applies to any industry, but many information security managers haven’t had the management training that other kinds of managers may have received. While it’s becoming more popular for CISOs to have MBAs, many IS managers got into the industry because of the exciting technical challenges and only realized later that management was where they wanted to focus. If this is you, find someone else who has been there. EC-Council CISO events are full of erstwhile techies who are now high-level executives. Find out how they turned their passion for technology into a career in management. There will be specifics that no amount of Googling will help you overcome. Sometimes you need someone wiser whom you can call for advice. Speaking of conferences, those are great places to learn from peers. Don’t be shy (this is easier for some personality types than others) during question and answer periods and during breaks. Be curious about the challenges others have faced. Keep in mind, executives are rarely wallflowers – work on being social and approachable both at conferences and at work. If people don’t feel comfortable coming to you with questions or to brainstorm solutions, you won’t become an integral part of important teams.
- Earn an executive credential. Whether your first executive job is with your current company or in a new position with a new organization, part of being taken serious as a candidate for a high-level job is having high-level credentials on your resume. The reason for this is executives are expected to be leaders, not just managers. Leaders motivate, make sound strategic decisions, are always thinking of the long term as well as the short, understand how their mission fits in with other departments’ missions as well as the overall company mission, among many other things. As mentioned earlier, there is a trend toward IS professionals earning MBAs in order to advance, but on the off chance you don’t have the time or money for that kind of thing, consider other management certifications on the market. Of course the Certified CISO program was created by CISOs specifically for those looking to make the jump to executive levels or those looking to hone their executive skills. There are other programs on the market as well. Make sure the program you select is not focused on technology but on executive management. A focus on strategy, finance, audit management, and risk management are signs that the program is indeed aligned with the goal of executive management. Take your time, research what’s available, and make a plan for furthering your education. That may include earning your CISSP, then your CCISO, then pursuing a Master’s Degree in information security. Whatever your plan is, run it by your mentor and get their feedback before committing to anything.
Of course, there are many paths to the executive suite but most involve making relationships and becoming invaluable to your organization.