{"id":91799,"date":"2020-08-31T09:00:25","date_gmt":"2020-08-31T16:00:25","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/?p=91799"},"modified":"2023-05-15T23:06:09","modified_gmt":"2023-05-16T06:06:09","slug":"cybersecurity-skills-become-ciso","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/08\/31\/cybersecurity-skills-become-ciso\/","title":{"rendered":"Microsoft Security: What cybersecurity skills do I need to become a CISO?"},"content":{"rendered":"

Build the business skills you need to advance to Chief Information Security Officer<\/h2>\n

For many cybersecurity professionals, the ultimate career goal is to land a chief information security officer (CISO) job. A CISO is an executive-level position responsible for cyber risk management and operations. But cybersecurity is transforming.<\/a> Today, a good CISO also must have strong communication skills and a deep understanding of the business. To gain the necessary experience to be considered for a CISO job, you need to understand how the role is evolving and the skills required to excel.<\/p>\n

Long before I became a Security Advisor at Microsoft, I started my career as an IT System Administrator. Over time I learned security and worked my way up to CISO<\/a> and, have served as a CISO in a variety of companies and industries. I\u2019ve mentored several people interested in accelerating their careers in cybersecurity, and one of the biggest mistakes that you can make in your career in IT and Security is ignoring businesspeople. The more you advance, the more you will need to understand and work with the business. In this blog, I\u2019ll provide tips for helping you get more comfortable in that role.<\/p>\n

From technologist and guardian to strategist and advisor<\/h2>\n

As organizations digitize their products, services, and operations to take advantage of the cloud, their ability to effectively leverage technology has become integral to their success. It has also created more opportunities for cybercriminals. Companies of all sizes have been forced to pay fines, suffered reputational harm, and expended significant resources recovering from an attack. A cyber incident isn\u2019t just a technology risk; it\u2019s a business risk. When making decisions, boards and executive teams now need to evaluate the likelihood of a data breach in addition to financial loss or operational risks. A good CISO helps them do this.<\/p>\n

According to research by Deloitte<\/a>, there are four facets of a CISO: the technologist, the guardian, the strategist, and the advisor. You are probably already familiar with the technologist and guardian roles. As a technologist, the CISO is responsible for guiding the deployment and management of security technology and standards. In the guardian role, the CISO monitors and adjusts programs and controls to continuously improve security.<\/p>\n

But technical controls and standards will not eliminate cyberattacks and the CISO does not have control over all the decisions that increase the likelihood of a breach. Therefore the roles of strategist and advisor have taken on greater importance. As a strategist, the CISO needs to align security with business strategy<\/a> to determine how security investments can bring value to the organization. As an advisor, the CISO helps business owners and the executive team understand cybersecurity risks so that they can make informed decisions. To excel at these roles, it\u2019s important to get knowledgeable about the business, understand risk management, and improve your communication skills.<\/p>\n

\"A<\/p>\n

Acquiring the skills to become a good strategist and advisor<\/h2>\n

If you are already in the cybersecurity profession and interested in growing into a CISO role, you are probably most comfortable with the technologist and guardian roles. You can elevate your technical skills by trying to get experience and certifications in a variety of areas, so that you understand threat analysis, threat hunting, compliance, ethical hacking, and system auditing, but also find time to work on the following leadership skills.<\/p>\n