{"id":165,"date":"2024-09-09T07:00:00","date_gmt":"2024-09-09T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=165"},"modified":"2024-09-09T07:00:00","modified_gmt":"2024-09-09T07:00:00","slug":"whats-next-after-the-ciso-role","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=165","title":{"rendered":"What\u2019s next after the CISO role?"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Few roles have changed as much as the chief information security officer in the nearly 30 years since Steve Katz first held the title at Citicorp in the mid-1990s. As the role has evolved from managing technical controls to business risk, it\u2019s paved the way for CISOs to advance into other positions.<\/p>\n

Four CISO who have taken different paths share their experiences and advice on moving from CISO to new roles.<\/p>\n

CISO to COO: Chad McDonald, COO at RadiantLogic<\/h2>\n
\n

Chad McDonald<\/p>\n<\/div>\n

Chad McDonald, who moved from CISO to COO at RadiantLogic, has held several CISO roles as well as customer experience and professional services roles across almost 20 years. He\u2019s found the CISO role requires thinking strategically across the business and influencing various departments, skills that can be useful when looking to next steps.<\/p>\n

These strategic skills are highly transferable to broader roles like COO, according to McDonald. In the current role, for example, he must understand customer needs and be able to speak a common language with them. \u201cCISOs need to talk to finance, HR, marketing [and] product to bring about change, alter the perspective of the security landscape with the organization or decrease the risk profile. These skills are highly transferable and position you very well to run any kind of operational team,\u201d he says.<\/p>\n

\u201cBeing a CISO, what you do day in, day out, is to think strategically across the business, not just in your lane. Making one change can impact the entire business and so you have to do a good job of influencing outside of your specific remit,\u201d McDonald tells CSO.<\/p>\n

Broad exposure to different verticals is beneficial for pivoting to roles like COO because it involves understanding different regulatory and compliance needs. \u201cIt helps to think in different ways, not just about the internal requirements, but how they translate into what a customer may need and start speaking in a different language and looking at your organization from both an external and internal aperture,\u201d he says.<\/p>\n

Although it\u2019s mostly a linear career path, increasingly there\u2019s a large overlap between security and other C-level roles such as CIO and CTO, which opens new opportunities. McDonald suggests that CISOs need to have a grasp on broad business skills that include finance, project management, and understanding legal contracts. \u201cThey\u2019re crucial for CISOs looking to transition to roles like CIO, CTO, or COO.\u201d<\/p>\n

The ability to communicate well remains critical. \u201cAs you move up, you need to communicate at an executive level beyond just tactical news and be able to explain clearly the direction you\u2019re going and why, to people who may not have experience with technology or security,\u201d he says.<\/p>\n

CISO to CIO to VP: Tammy Loper, VP of information technology and security at the University of Tampa<\/h2>\n
\n

Tammy Loper<\/p>\n<\/div>\n

Tammy Loper, VP of information technology and security at the University of Tampa has built a career out of creating and transforming security and technology operations that\u2019s seen her progress from CISO to CIO and now to VP.<\/p>\n

Through the course of her career, Loper has found that strategic thinking, building strong relationships across the board and gaining buy-in have been integral to workplace success which has translated into opportunities for advancement.<\/p>\n

\u201cIn starting a new security program, I met with every department on campus and analyzed the systems in use, the types of information they process, their techniques, business challenges, and gaps,\u201d she tells CSO.<\/p>\n

Loper creates a common mission that helps build authority to educate and influence within an organization. It also helps gain visibility \u2014 a critical factor in being well positioned for advancement. \u201cIf your role is buried in the organization, and you\u2019re trying to push things from the bottom up instead of top down, your visibility might not really be there for trustees to know who you are and what you\u2019re capable of,\u201d she says.<\/p>\n

CISOs have a unique vantage point in understanding an organization\u2019s processes and positioning security as part of the core mission, and this potentially opens up opportunities for more senior roles.<\/p>\n

In her case, Loper successfully built a security program and extended that strategy across IT to become CIO. The eventual move to become VP reflected the fact that IT and security needed a certain authority across every unit within the university. The challenge is keeping the dial in the middle between business needs and security needs and CISOs may need to unlearn a singular focus on security. \u201cCISOs can sometimes struggle to make those difficult compromises, but you need to be able to find that balance to meet organizational goals and have the confidence in those decisions,\u201d she says.<\/p>\n

CISO to mentor and board member: Paul Connelly, board advisor<\/h2>\n

Paul Connelly has held several CISO, CSO and information security roles, including stints in the NSA and the White House, before shifting to technical advisor and board member roles. In that time, he\u2019s seen the change in focus and standing of the CISO role. \u201cWhen I started, it was all about technical knowledge and now it\u2019s understanding the business and how you affect the business,\u201d Connelly tells CSO.<\/p>\n

\n

Paul Connelly<\/p>\n<\/div>\n

Today, he regards passion for the job, the ability to communicate and organizational skills as almost more important than any specific background for the role.<\/p>\n

When it comes to aspirations to take a seat on the board, Connelly has found the skills it takes to be a successful CISO today translate well to such leadership roles. \u201cPart of the evolution of the CISO role has been engagement with business leaders and being involved in strategic decisions and, if you prove yourself setting the strategy, working with other people, and driving successful projects, it really opens doors to the board,\u201d he says.<\/p>\n

In his board roles, he\u2019s able to bring up things nobody else around that table would have identified or pursue follow-up questions when there\u2019s an update from the CIO or the CISO. \u201cWhen I think of how important security is to companies, it\u2019s astounding that more don\u2019t have people with our background,\u201d Connelly tells CISO.<\/p>\n

However, CISOs are not in the frame for board recommendations if they\u2019re not part of the networking circles that include CFOs, CEOs, and existing board members. \u201cGet to know the board members and develop that network of people so when you\u2019re ready, the members of the board are going to be right there behind you and can recommend you.\u201d<\/p>\n

Connelly suggests CISOs engage with other business leaders and broaden their skills, including becoming involved in workplace committees such as risk or DEI. \u201cIt\u2019s vital to get involved in other areas, because boards can\u2019t afford to assign a seat to somebody who only focuses on one area.\u201d Knowledge of the workings of boards is also important, but it doesn\u2019t just always happen organically. \u201cStudy what boards do, consider certification through groups like the National Association of Corporate Directors and get some experience by serving on not-for-profits that are always looking for board members.\u201d<\/p>\n

And look for allies who will support your ambition for a board role. A supportive CEO could provide opportunities to interact with board members as peers and help with directions and feedback on presentations and updates to the board as part of your preparation. \u201cTalk to your senior leadership and let them know what your interests are and see if they could help.\u201d<\/p>\n

CISO to CSO to investment advisor: Justin Somaini, partner at YL Ventures<\/h2>\n

Justin Somaini, partner at YL Ventures, held CISO, CSO and chief trust officer roles at some of the largest global tech outfits before moving into an advisor role. He sees the CISO role as a multi-faceted role akin to a salesperson. \u201cWe\u2019re selling security internally,\u201d Somaini tells CSO. <\/p>\n

\n

Justin Somaini<\/p>\n<\/div>\n

This means embracing marketing to sell the message, human behavior to understand the audience and their rationale for adopting security and learning to build bridges to get security done. \u201cSecurity people don\u2019t just do work, we find problems. Then we find the solutions, and we tell everybody else in the company to actually get something done,\u201d he says. It requires understanding the job and function of others and appreciating the challenges and hurdles of those individuals.<\/p>\n

This creates a natural opportunity for CISOs to learn about how businesses are built and the stepping stones to new opportunities. \u201cIf you really push yourself to learn these other functions, you\u2019ll not only be successful in your current role, but also have a platform to get to the next one,\u201d Somaini says.<\/p>\n

There\u2019s no one right path, so it\u2019s a matter of charting your own course. \u201cA lot of CISOs are trying to figure out what\u2019s next and we\u2019re testing it out for the first time en masse in the industry. But as an industry we do need to figure out what the career tracks are.\u201d<\/p>\n

Arriving at his current role came through \u201ca lot of small things throughout the years\u201d that included getting to know founders and VCs and then taking advisory roles for VCs and startups. His advice is to expand your network to create opportunities to move into new positions. \u201cWhen I was at VeriSign, I was introduced to Nir Zuk at Palo Alto [Networks]. It was coming out of stealth; I became an advisor for him, which I never knew was a thing you could do, and I loved it,\u201d he says.<\/p>\n

As part of a team that selects the next investment, he utilizes his security domain knowledge with experience of how to support companies on their journey of maturity. It means being a \u201cvalue-add VC\u201d who understands the sales and marketing lifecycle and can provide support to startups that don\u2019t yet have heads of sales or marketing at the early stage.<\/p>\n

He suggests CISOs consider holding dual-title roles<\/a> to gain additional expertise and take advantage of the role\u2019s remit across an organization to learn about all facets of a business and build relationships with other departments. \u201cBecause they\u2019re horizontal, the CISO can see everything and build those relationships.\u201d<\/p>\n

Echoing the sentiments of the others, he points to the value of networking that can lead to new things down the track. \u201cDevelop and foster relationships outside of the security world to open up new opportunities.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Few roles have changed as much as the chief information security officer in the nearly 30 years since Steve Katz first held the title at Citicorp in the mid-1990s. As the role has evolved from managing technical controls to business risk, it\u2019s paved the way for CISOs to advance into other positions. Four CISO who […]<\/p>\n","protected":false},"author":0,"featured_media":166,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-165","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/165"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=165"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/165\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/166"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=165"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=165"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=165"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}