Do CISOs consider these 5 career paths?

Written By Peter Vogel

SCworld.com reported that “Now that top management has been calling for chief information security officers (CISOs) to emphasize business strategy and risk management over technical leadership, the route to the top cybersecurity role will face some significant changes in the coming years.”  The October 14, 2024 article entitled "Five alternative paths to the CISO chair” (https://tinyurl.com/2hw6eepn) included these 5 career paths:

  •   Legal:  With regulatory and litigation landscapes around cybersecurity and breach incidents growing more complex, modern CISOs are called to collaborate more closely with legal departments more than ever. At some companies a legal background along with some relevant security industry expertise could make sense for the CISO position.

  • Product management: The Secure by Design mandates led by CISA and the broader cybersecurity community will drive more movement at the top of the executive food chain for embedding security into product roadmaps and planning. Companies with heavy engineering or product development missions will want CISOs with product management experience.

  • Vendor management: With third-party risk management and software supply chain security growing in importance within the discipline of cybersecurity, many companies with complicated vendor relationships may start to draw cybersecurity leadership from the vendor management side of the house.

  • Accounting: Late last year the Association of International Certified Public Accountants rolled out new rules that will have prospective CPAs choosing one of three major specializations to train in as a part of their certification. Cybersecurity was one of those three, which means in the coming years we'll see a host of new cyber accountants hit the workforce. With further on-the-job training, these disciplined, detail-oriented individuals will emerge as prime candidates for CISO positions sometime down the road.

  • Business operations: Ops folks can work cross-functionally across the business, how to speak the bottom-line-oriented language of business, and how to manage people. These are the most essential skills for the modern CISO and are arguably harder to train in leaders than security fundamentals. Putting mid-career business operations people on some lower-level security job rotations could prove a fruitful way to build up future CISO candidates.

This all sounds good to me, what do you think?

Peter Vogel
Previous

Are you surprised that Cloud Credentials are being stolen by Phishing and BEC?
Next

What are you doing to weigh the risks of GenAI?