Cyber Security Level-up: Advice for those looking to get into senior management


The skills that got you where you are, aren’t the skills that will get you into the C-suite. After years of working with board and c-level executives, I can tell you that technical skills are not what they are looking for. There is a lot of talk about how education and certification is not important in cyber security, and at lower levels, that is true. However, a true CISO (a real c-level) isn’t a technical position anymore. They are more likely spending their time working with business leaders on business processes, compliance, budgets, projections, risks and mitigations, and strategy.

Being really good at capture (red or blue) the flag doesn’t make you a CISO. It’s a different skillset and while technical skills help, they aren’t required. Just like a CEO doesn’t actually have to be the best expert at building cars, the CISO is almost certainly not the best hacker in the company.

I’ll come right out and agree that an MBA or certifications do not make a person a good fit either. They do, however, show commitment to expanding and improving their skillsets and knowledge. A major complaint from executives about technical people is that they don’t understand business. That usually translates to the technical people not being able to explain things in business terms.

Most technical people are intelligent and tend toward logical analyses. The board room is not always logical. Politics plays a big role in business and often leads to “illogical actions” to a technical person. That leads to large amounts of frustration that ‘management doesn’t understand the security risks.’ In fact, management may well understand risk mitigation better. They may actually have a broader knowledge base to evaluate the situation. MBA programs and certifications usually don’t focus on teaching/testing technical skill, they focus more on what senior management does.

“My new boss may be a CISSP but doesn’t know the first thing about running a pen-test…CISSP is a worthless certification.”

– Junior Security Analyst at a company I helped

Many analysts and even managers downplay certifications as fluff. I appreciate why someone would think that if they don’t understand what the certification is trying to do. CISSP is certainly not testing a threat hunting skillset. CISA is not looking at the ability to test security on a web server. These certification are very specific and VERY misunderstood.

Let me say here that, yes, certifications like CISSP, CISM, CISA, etc. are not well understood by management either. That is why we see crazy job posting that include CISSP for an entry level position. So the misunderstanding is on both sides.

How do you get there from here?

Once you have established yourself as a security expert, it is time to start thinking about your long-term career goals. If you want to move into a senior management position, you need to be able to communicate effectively with business leaders. This means being able to explain complex technical issues in terms that non-experts can understand.

Career coaching is a whole specialty. If you are serious, and have the money, get a coach. If you are just testing the waters and looking for advice, here are four tips for security engineers looking to move up the corporate ladder:

Learn to think like a business leader.

This is the big one. One of the key skills you need for senior management is the ability to see things from a business perspective. Start by reading books and articles on business strategy and management theory. This will help you develop an understanding of how businesses work and how to make decisions that are in the best interests of the company.

Become a good negotiator.

You also need to understand how to market yourself. This applies to selling your talents both internally and externally. Although not strictly a negotiating skill, explaining what you bring to the table is important. When someone is interested in talking to you, you need to negotiate your way into a job.

As a manager, you will often be asked to negotiate contracts with vendors and suppliers. To be successful in this role, you need to be able to get the best deal for the company while still meeting your own needs. Negotiation skills can be learned by studying books or attending courses on the subject. I just finished a great book, “Never Split the Difference” by Chris Voss.

Develop your public speaking skills.

Many senior managers are required to give presentations to large groups of people. If you want to move up the corporate ladder, you need to be comfortable speaking to groups. Start by practicing in front of friends and family members. Then, when you feel ready, sign up for some public speaking classes or workshops.

Build a strong network of contacts.

The best way to get ahead in your career is to build a strong network of contacts. Attend industry events and meet people from all levels of the organization – from top executives down to entry-level employees. Get involved in social media sites like LinkedIn and Twitter, and connect with people who work in your field. The more people you know, the more opportunities will come your way.

As much as we hate to admit it, jumping to a new job is often the quickest way to get promotions. It does mean you have to learn new politics and job. You may also need to fix the mess the previous tenant left for you. Moving up in-house can be slower but you probably get to build on your own framework.

#Cybersecurity #executiveadvice

Paul Bergman
Follow me

Leave a Reply

Verified by MonsterInsights