Being a CISO isn’t the only aspiration for many cybersecurity professionals.
When speaking with candidates, I always like to ask where they see their career path going. Most of them say that they would like to eventually be a CISO (Chief Information Security Officer) or something along those lines. However, there are many different career paths one could take in the cybersecurity industry.
CISO’s play different roles depending on the organizational structure and size of the company. In larger organizations, a CISO-type role can be more of a thought leader, driving security strategy, but the person is no longer involved with the technical aspects of security. They lead teams, develop the game plan, but they are also more of liaison to the other C-Suite members. They play more of a business role rather than a technical role.
Some professionals prefer roles where they are a “Security Evangelist.” They travel and speak at conferences and conventions about the company they work for and security practices. This blog post by David Holmes, who was a Security Evangelist for F5, provides a good idea of what this role entails.
In other organizations, a CISO does the above-mentioned tasks, but they are also still the point of escalation when an issue arises. They still use their technical skills when needed. When searching for new opportunities it is important to remember what type of CISO you would like to be. You should examine the organizational structure of each company, the size of the company and really understand what type of role you will be playing. It is also important to speak with other leaders in the business and make sure information security is prioritized in this organization.
While a CISO-type or thought-leader role might be the end goal for some, is not the job everyone. I have also spoken with different candidates who prefer not to take a leadership role within the business-side of things. They prefer to stay technical; they do not want to sit in meetings all day, they would rather focus on performing. Candidates with this preference might be more interested in a Lead Architect or Principal Architect role. These roles are very senior-level and typically involve developing different security practices and strategies, but they also stay very technical.
Overall, there are many different paths your career can take in the cybersecurity industry, as it is constantly evolving and new roles are being created all the time. Do your research and really think about the type of role you would like to one-day hold.