3 Steps To Become A CISO (Chief Information Security Officer)

On this episode of Life of a CISO, I teach you three core prerequisites to be a successful CISO. If you do not have these three minimum requirements to be a successful CISO, you will fail at your job, and you will get fired. It may very well not be your fault that you get fired, because if the CEO does not agree to give you the authority it takes to be an effective CISO, your job is already as good as lost. Therefore, you must advocate for yourself.

🔑 [FREE MASTERCLASS]
Discover How You Can Advance Your Career Through Cybersecurity
https://safe.secure-anchor.com/nl-web...

Here are the three prerequisites: 1, the CISO must be equal to other vice presidents, like the CIO. This is because security has a specific metric for success: Uptime. The goal of the CIO is to have the service be available 99.999% of the time (called 5 Nines), and this means that time spent shutting down the servers for maintenance and patching takes away from his bonus. Therefore the CISO must be able to have equal authority, so that the CEO can decide whether to favor security or uptime. 2: Have a metric. As I just mentioned, the CIO wants 5 nines uptime. The metric I have come up with is how many attempted attacks in a given period of time. It’s not perfect, but I’ve yet to hear a better one. 3: Have security KPIs in place. This means that you must test security and have a measurable outcome that you can report on. For example, run a phishing campaign on your own company. If the phishing campaign produces a low amount of successful phishing attacks (but you’re very unlikely to have 100% success), security is effective at your organization. If you have these prerequisites, you can be an effective CISO; if not, you might want to keep some copies of your resume nearby, because you will unfairly lose your job as a CISO before you know it.

Show Notes:

0:00 Welcome
1:26 Teaching the core focus areas that you need to be successful
3:42 You must have somebody in charge
4:02 Security is not a component of IT, it is separate from IT.
5:24 What I don’t like to see is a CISO that reports to a CIO, I like him to report to the CEO
5:47 Sometimes uptime and security are at odds, and the CEO needs accurate information
6:09 By 2025, The CIA (Confidentiality/Integrity/Availability) may have their own dept. head
8:05 The CISO must be equal to the CIO.
9:35 Why CIO and CISO are sometimes at odds
11:20 You must have a single metric of success
12:14 You need your version of “5 nines”
12:35 The current metric for a CISO (and why it’s very bad)
13:41 Functionality/Security is zero sum
14:34 The goal of security is not to prevent all attacks, it’s to minimize exposure of critical data
15:14 The best security metric I could find
16:36 Attempted attacks
18:21 How many attacks do you think you have per week?
20:34 Why this metric raises awareness
23:40 You need to have security KPIs for all of the business units.
24:05 Security problems in action
26:28 Why VPs will fight you when you advocate for yourself
27:54 Phishing campaign as a metric for success
28:54 Wrap up and review: 3 things you need to be a successful CISO


About Dr Eric Cole
Eric Cole, PhD, is an industry-recognized security expert with over 20 years of hands-on experience in consulting, training, and public speaking. As the founder and CEO of Secure Anchor Consulting, Dr. Cole focuses on helping customers prevent security breaches, detect network intrusions, and respond to advanced threats. In addition, he is a sought-after expert witness and a 2014 inductee to the InfoSecurity Hall of Fame.

Follow me:
  / drericcole  
  / drericcole  
  / drericcole  

https://www.secure-anchor.com/

#LifeOfaCISO #CISO