What you should be thinking about now to prepare you for your career

Overview of what we’ll try to do

in this section, I’d like to take a high-level look at a potential career path for someone looking to become a CISO. When I say CISO I really mean the head of a security tower within an organisation. Some companies do not have CISOs, so you’d be director of security or head of security, or something like that. The point is that you’d be responsible for the security (physical, information, application, et cetera) of the organisation.

I will do this by tracking you through several job families, with a high-level overview of the skills you’ll need at each stage, and links pointing you towards resources for those skills.

What I cannot do or promise

I’m not in a position to tell you how you should live your life, what jobs you should go after, or the only method to become a senior leader. Nor can I tell you if you should strive to be a senior leader. That’s not the point of this.

I also cannot guarantee that if you follow this path you’ll become a senior security leader. I’m not one – I’m just a specialist who has a plan. This is that plan.

Path towards CISO

Step 0 – Technology and Education

Before we talk about career steps you can take, I’d like to talk about step 0, which is the primary focus of all this work. Before you start on this path, you need to make a commitment to increase your skills in technology and your knowledge through education.

Many senior leaders will have business backgrounds – they won’t necessarily be the strongest technicians. With that said, many do come from development or engineering backgrounds. I’ve chosen to build my technology capability. I do this for two reasons: 1 – it’s interesting and I like it, and 2 – I want to earn the respect of my peers and in the future my team.

To be a strong leader, you’ll need commitment and confidence from your team. You can do that in many ways. One way is to have a strong technical understanding, even if you are not doing tech on a daily basis. Techs trust techs and don’t always respect non-techs. If you run a technical security team, you need to be able to speak the language and earn the respect.

Plus, tech is fun. You are in a computer science industry, after all.

Education plans are also essential through this. Many jobs will require understanding, degrees, or certifications in addition to experience and competence. Having a smart education plan to always be learning is essential or your potential leadership success. Later in these posts I’ll talk about education plans, but for now know that step 0 involves you always learning more things.

Job Phase 1 – Entry Level

Start as an entry-level analyst or, if you can join a graduate programme, an entry level designer, OA, coder, or something. Your first job is entry level. Your goal is threefold:

  • Do your job really well
  • Build a network of mentors, coaches, and peers,
  • Experiment with a lot of different work


Job Phase 2 – Middle Level

During your first job(s), you do the above three requirements. In your middle career, you will make a decision to either well-round yourself or specialise. I am personally becoming well-rounded, but if you find something you excel at, you should focus on becoming a subject matter expert.

During these jobs, you should build your reputation, build a network, and excel at your job. Your goal is to exceed you objectives and set yourself up for management. A CISO is a leader instead of a do-er. So far in your career you’ve been a do-er. Once you mastered that, and gained the required experience, you should move towards leadership.

Job Phase 3 – Management

As you have proven yourself capable of your doing job, you will want to gain skills in leadership and management. You will then want to make the move into a management-level job.

The job of a CISO is to lead a security organisation. More business skills are required than a doer and you will find many experts in the middle level with significantly more technical ability than the management level. This is as it should be and if management is strong, there will be paths for subject matter experts to rising in their careers without having to take the management path.

You should aim to use your management level jobs to springboard you to the CISO position.

Overview Summary
This is a very high-level path that you can think about when planning your journey. If you are like most readers and at the beginning of your career, there is no reason to carefully plan your time as a senior manager. Instead, focus on going from entry-level to expert in your field, gain experience, build a network, and take logical steps.

At each stage, you will gain a better understanding of where you want to be, who you want to be, where you want to work, and what is the logical next step. When you identify those next steps, you can create a spider plot to see what skills you have and what skills are required for the job you seek, then you know where you can logically start improving yourself as you move towards those job requirements.