CISO Diaries
fileake,
Jul 02
2024
Forging a path to sit on the board as a Chief Information Security Officer (CISO) can be a long-term goal for many cybersecurity professionals. It enables you to influence decision-making and have a long-lasting impact on a company’s cybersecurity strategy.
But how do you become a CISO if your background in security is technical?
We spoke to three talented CISOs who all started their careers in technical cybersecurity roles to find out:
Timothy Martens, Freelance CISO and CEO of T.M. cyber consultancy BV.
Kenton McDaniel, CISO at Henry Schein One.
Christophe Foulon, Fractional CISO and cybersecurity board advisor.
In this post, we break down some of the key learnings shared in our discussion.
As a cybersecurity professional, working in the technical trenches on a daily basis, learning how to speak to board members is essential if you hope to become a CISO:
You have to understand the audience you’re talking to and the things that are important to them. And how you can translate the cybersecurity technical risk into a business risk that affects them and engages them to solve the problem.
Christophe Foulon, Fractional CISO and cybersecurity board advisor.
But how can you speak to an audience you don’t yet understand? Kenton shared some actionable advice:
I learned to start asking them questions about what matters to them and their motivations to help speak risk in their language.
This taught me how I could translate that risk into dollar value.
I asked myself: Does this dollar value make it a priority or a business-acceptable risk?
You have to deal with a certain level of business acceptable risk.
Kenton McDaniel, CISO at Henry Schein One.
Timothy Martens, Freelance CISO and CEO of T.M. cyber consultancy BV, summarized talking technical risk to the board:
Understand what the board cares about: they think about financial and business impact, understand what they want to hear.
Speak their language: they speak with different jargon to cybersecurity professionals, learn to communicate their way.
Ask the right questions: what’s their acceptable risk and perspective?
While learning how to communicate with the board is key, you need to gain exposure to the right people and teams in order to do so!
So, when working as a penetration tester, for example, consider expanding your scope.
Start taking responsibility for things and gain partnerships.
For example, when I was a penetration tester, I would approach legal and say: here’s the scope, how do you feel about it?
Pulling them into the scope of work built influence and relationships. Involving departments in my day-to-day role.
Kenton McDaniel, CISO at Henry Schein One.
Christophe had a similar approach of expanding his reach with a technical role:
My experience came from stepping up to take the opportunity.
Even when I was working in helpdesk, I offered to be the helpdesk person assigned to the CEO.
I quickly understood that talking in technical jargon didn’t help me communicate with him, so I had to learn to communicate in the language of the business.
Christophe Foulon, Fractional CISO and cybersecurity board advisor.
How you’re perceived is also important to reaching those executive leaders and gaining respect.
Timothy Martens landed his first CISO role at the young age of 26, and so has a unique perspective of gaining respect early in his career:
I faced many challenges with being taken seriously at a young age.
So, when I go to a meeting, I put my phone away and don’t leave it on the table as a form of respect. When I went to a meeting, I listened. And I always try to speak last.
If you do those little things, people will take you more seriously.
You need both the knowledge and the presence.
Timothy Martens, Freelance CISO and CEO of T.M. cyber consultancy BV
Great, you know how to communicate cybersecurity to business risk, and how to cut down the technical jargon.
But how do you leap from a technical role to a board-level Chief Information Security Officer?
Look for places in your business where you can take on risk management.
Take your technical experience and learn the risk management portion. Combining those two skill sets gives you a comprehensive view of the risk.
Try volunteering to give your opinions to small businesses.
As soon as you start speaking in the language of risk management, people pay attention.
Kenton McDaniel, CISO at Henry Schein One.
Noteđź’ˇ: For a comprehensive guide on AI risk management, read our blog on 5 steps for proactive AI risk management.
So you think you’re cut out to be a CISO?
We asked our three CISOs about the main challenges they face in their role.
Everyone sees the hype around AI but doesn’t understand what's happening behind the scenes.
What organizational data is needed to produce these outcomes and how is this data being processed?
This risk is often way overlooked with regards to the data, I’m helping to create AI guardrails that allow businesses to better process the data.
Christophe Foulon, Fractional CISO and cybersecurity board advisor.
Finding the time to understand emerging technologies at scale and rendering opinions quickly is difficult.
I have to take time to research. The most important technical skill is the ability to research effectively. Effective research is key to keeping on top.
You need to feel comfortable saying: I don’t know, let me find out.
It’s okay to push back and give realistic timelines.
Kenton McDaniel, CISO at Henry Schein One.
Manufacturing companies are getting targeted by cyber criminals as an increasing trend and they aren’t prepared.
Balancing IT and OT, bringing them up to the same level is a challenge that many companies aren’t prepared for.
Timothy Martens, Freelance CISO and CEO of T.M. cyber consultancy BV
Being a CISO is an honorable profession. You sit at the helm of a company’s cybersecurity strategy, guiding decisions on security operations and helping a company stay safe.
However, it’s not an easy role and requires you to wear many hats. We hope you found the advice from our CISOs helpful.
For more resources, check our CISO diaries category on the blog:
CISOs: Win your “board's blessing” with this reporting template
How to connect cybersecurity learning outcomes to company goals
Building resilience: How security leaders can protect their teams from burnout
11 critical CISO interview questions (from actual security leaders)
Navigating the new SEC Ruling: An actionable guide for CISOs
Become an HTB Subject Matter Expert
Are you a cybersecurity professional who wants to contribute to articles like this one?
Join the HTB SME program and you’ll benefit from the following:
A huge audience: Our HTB community has over 2.7 million members, giving you a huge platform to share your knowledge with and feature in our editorial content.
Networking opportunities: Meet other HTB SMEs and expand your professional network, meeting people you may never have connected with if it wasn’t for your involvement with HTB.
Recognition: Any insights you provide will be credited to you, including your name, title, and LinkedIn profile. Some content will get additional love on social media too!
Share your experiences: We’re giving a voice to cybersecurity professionals, providing you with a platform to share your knowledge and experiences.
Help others: Your unique insights are incredibly valuable to other cybersecurity professionals, or even individuals just starting their careers.
đź’ˇFind out more on our blog: Become an HTB Subject Matter Expert