How to Become a Chief Information Security Officer
March 10, 2021
Protecting sensitive corporate and customer information has become big business—and the average base salary for CISOs is $222,930 per year. Here's what you need to know.
Data security is more important than ever before. While there are many professionals in the field of information security, the executive responsible for coordinating all efforts to protect an organization's data is the chief information security officer or CISO. Sometimes called VP of security or chief security officer, a CISO is a leader in the fight against emerging threats to information security.
Whether you currently work in cybersecurity or are considering a career change, becoming a CISO is what's waiting for you at the top of the cybersecurity hierarchy.
Becoming a chief information security officer isn't easy, but if you love doing what it takes to keep information assets, intellectual property, and other digital holdings safe, then there's no reason not to set your sights on this role.
Curious what it takes to become a CISO? In this article we'll cover:
- What does a chief information security officer do?
- How much does a chief information security officer make?
- How long does it take to become a chief information security officer?
- Educational commitment to becoming a chief information security officer
- Typical advancement path for a chief information security officer
- Licensure and accreditation for becoming a chief information security officer
- Are CISOs in high demand?
What does a chief information security officer do?
This CISO role is a relatively new one, but it's vital in today's information-driven world. The responsibilities of a chief information security officer vary by industry, the size of an organization, and how it is regulated.
In general, however, these executives analyze security threats and weaknesses and develop and maintain robust information security strategies and policies. To do this, they inventory an organization's information assets thoroughly and look at what existing and potential threats they face.
From there, they decide how best to protect those assets from accidental and intentional misuse. They also look at an enterprise's assets through the lens of laws and regulations concerning data privacy.
Ideally, an organization's information security strategies protect it from running afoul of these laws, but when breaches happen, a CISO must know how to deal with the legal consequences, not just the financial ones.
Citigroup CISO Stephen Katz breaks down the duties of the chief information security officer into the following categories:
- The real-time analysis of threats
- Studying developing security threats
- Communicating threats to the board
- Data loss and fraud prevention policy planning
- Security architecture planning
- Securing access to restricted data and systems
- Risk assessment and mitigation
- Incident response and forensic investigation of breaches
- Making sure initiatives receive funding
Becoming a chief information security officer means taking on much responsibility—especially in an age where a data breach can cost a company millions, if not billions, of dollars.
How much does a chief information security officer make?
As a critical position in cybersecurity technology, CISOs can expect competitive compensation. CISOs earn an average salary of $100,000 per year—but sector, experience, and location impact earnings. Chances are you'll make more working in New York City than in Youngstown, OH, and working in the business sphere pays more than working in the public sector or law enforcement.
ZipRecruiter lists the average salary for chief information security officers at $153,541. Salary.com lists the average base salary for CISOs at $222,930.
In any case, the short answer to the question 'How much does a chief information security officer make?' is: a lot.
How long does it take to become a chief information security officer?
CISO is the pinnacle of the information security job ladder, and getting there, unsurprisingly, takes quite a bit of time. There are exceptions, of course; you could become CISO of your friend's bedroom startup fresh out of school, for example. However, for startups with serious funding and of course for established companies, you're going to need years of experience and training. Job descriptions will usually ask for relevant technical degrees—typically a master's degree or higher, seven or more years of experience in information security, a management background, hard IT skills like programming, and amazing communication skills.
Educational commitment for becoming a chief information security officer
The first step is completing a four-year bachelor's degree in computer science, cybersecurity, or a related field.
Some of the best cybersecurity degree programs can be found at:
- Boston University, which offers a computer science degree with a concentration in cryptography and data security
- California State Polytechnic University - Pomona, which has an information assurance and cybersecurity track
- Colorado Technical University-Colorado Springs, which lets bachelor's degree students specialize in computer systems security and information assurance
- DePaul University, which is one of the top schools in the US for cybersecurity
- George Mason University, which offers a degree in cybersecurity engineering
It's common for a chief information security officer to hold an MBA, but more and more aspiring CISOs are completing master's degree programs with an information security focus. You can also split the difference by looking at Master of Business Administration programs that offer concentrations in information security. These on-campus and online degree programs may also be called Cybersecurity MBAs or Information Security MBAs, but whatever they're called, they give students the knowledge and tools to build careers that meld business administration and computer science.
Some of these degree programs can be found at:
- Oklahoma State University - Main Campus
- George Washington University
- University of South Florida - Main Campus
- University of Baltimore
- Florida Institute of Technology
- James Madison University
During your university years, you'll study management, economics, finance, and other business concepts along with cyber defense, IT forensics, data management, and many more information security concepts.
Typical advancement path for a chief information security officer
Becoming a chief information security officer means spending years in the field of data security. Many CISOs begin their careers in cybersecurity as security administrators, network administrators, system administrators, or programmers in some other field.
From there, they may become security analysts, security engineers, security auditors, or cybersecurity specialists. Before joining the executive team, most will serve as security architects, security consultants, security directors, heads of IT, or information security managers.
As you climb the ladder in cybersecurity, look for roles with titles that indicate leadership: manager, director, or VP. According to Digital Guardian's research, the majority (59 percent) of CISOs came up through IT and IT security while only 40 percent hold a degree in business.
IT researcher Larry Ponemon told SecureWorld that "the most prominent CISOs have a good technical foundation but often have business backgrounds, an MBA, and the skills needed to communicate with other C-level executives and the board."
Becoming a CISO is about more than education or experience, however. Chief information security officers are expected to have a lot of technical skills, especially cybersecurity-focused ones.
For instance, a CISO is to be expected to understand:
- Ethical hacking and threat modeling
- Firewall and intrusion detection and prevention protocols
- Compliance assessments, proxy services, and DDOS mitigation technologies
- Auditing information systems
Licensure and accreditation for becoming a chief information security officer
CISOs don't need to be licensed, but there are a lot of CISO certifications, and the good news is that you can start adding them to your resume years before you leap this executive position. Deciding which security certifications to pursue is difficult because there are many relevant programs.
You could become a:
- Certified Information Systems Security Professional
- Certified Information Security Manager
- Offensive Security Certified Professional
- or even a Certified Ethical Hacker (which has the added benefit of sounding cool) Aspiring CISOs should also look at the ISACA Certified in the Governance of Enterprise IT credentiall, which focuses on enterprise-level IT governance principles.
There are many more applicable security certifications, and you should pursue those that interest you. Don't neglect this essential element of becoming a chief information security officer because the candidates you'll be competing against have numerous certifications.
Are CISOs in high demand?
Absolutely! More and more companies are hiring their first CISO, and the demand for CISOs is growing as the cybersecurity world, and the threats to digital assets evolve. While this position was, at one point, less critical than CIO or CSO, the role of CISO is quickly gaining clout in large organizations. Newsworthy (and hugely expensive) data breaches have helped awaken organizations to the dangers of lax information security, propelling this role into the c-suite.
All this means that if you're willing to put in the work to become a chief information security officer, and you have the skills, determination, and willingness to work long hours, you'll probably have no trouble finding a high-paying job.
Questions or feedback? Email firstname.lastname@example.org