My job: CISO
Meet Jim Mapes, a CISO at Cybersecurity Auditing Technologies Inc. with over 20 years of experience. We spoke to Jim about his incredible journey and how he came to be a Chief Information Security Officer.
"Originally, there was no official CISO," Jim chuckled, "the job title didn't exist when I first entered the workforce. It was something I got into slowly at first." Initially, Jim worked for Arizona State University, where cybersecurity wasn't yet known in the industry. "At the time, we were known as information security or information assurance, not as cybersecurity professionals. When academics heard the word security, they instantly thought of restrictions, which they didn't appreciate." This was until a disgruntled student hacked into a professor's network and deleted a novel he had been working on. "This was a wake-up call for the department because, at the time, there were lots of viruses going around via infected Microsoft Word or Excel files."
Working for the State
After Jim left the university, he secured a job working for a company that was doing cybersecurity for different businesses. “You would have thought that post 9/11 was a great time to be in security,” exclaimed Jim, who went to work for the State of Arizona, where he and a small group of individuals handled cybersecurity for the whole state. “But it wasn’t. Nothing really changed, sadly.” However, Jim expressed that working with the state was excellent as he got to experience doing lots of different things. Jim got to work for the Department of Public Safety, the state police for Arizona. “This was great because I gained lots of experience with securing infrastructure, using firewalls, VPNs, and also working in digital forensics,” Jim explained that he learned computer forensics directly from the Arizona State computer crime division.
What is a CISO?
According to our expert, a CISO or Chief Information Security Officer is an individual who leads the cybersecurity effort in any organization. This individual will manage teams of people responsible for the protection and safety of both digital and physical systems. A CISO allows a business to work strategically by incorporating cybersecurity on a strategic level and engaging in activities that will help a company develop by ensuring the highest level of security. The CISO facilitates this by involving themselves in all aspects of the business. “I would be a part of all the different plannings at a boardroom level, and then I will come back and start to examine with my team. Eventually, I would return to the boardroom to translate our findings more strategically.”
The CISO also works with the stakeholders to address the risk appetite. This is how much risk a company is willing to accept. “An organization may say they don’t want any critical risks, and they want them all fixed, and we'll do whatever we need to do to see those things mitigated down to a lower risk level” – most organizations accept about 20% risk. Usually, organizations are inclined to take lower risks over higher or moderate risks.
“The chief Information Security Officer uses a high-level strategy for assessing the different things that need to be done for the organization versus what he needs to talk to the executives about. These strategies are useful in addressing things like where the company wants to go. The CISO wants to stay in step with the rest of the business leadership and help the organization continue to enable its operations through security.” These strategies may include an information security policy that is a core component of an overall security strategy. This is a list of written practices and procedures that all the organization's members must confront to ensure the integrity, confidentiality, and accessibility of the company's data and resources.
What does a CISO do?
Traditionally, CISO's primary goal is to manage a team that helps protect an organization's digital assets, applications, systems, and technology. All while aiding and helping build business outcomes. A CISO will also retain, train, and hire cybersecurity professionals to work on their team. "The work of a CISO at a high level is to ensure the organization's security while translating the business requirements down to the team so that the team can complete their work to maintain its security posture."
Confidentiality and Integrity
“A CISO is responsible for ensuring certain things are achieved and maintained. For example, we ensure that confidentiality and integrity of information is facilitated, maintained, and available to companies.” It is the CISO’s responsibility to secure certain things like data assets. “It is important to note that a Chief Information Security Officer ensures that leadership can make effective business decisions surrounding cybersecurity issues.”
Jim mentioned that CISOs act like translators between the team and the stakeholders. "You have to work as a translator between the deep, complex technological side and the business operations. Jim gave an interesting analogy for his relationship with the business executives. "The higher-ups have their cards in their hands, but they don't know the value of those cards. It was my job to come in there and help them understand their cards' value. Once they understand the value of the cards, they have a better idea of how much they should bet on that hand or whether they should let it go."
A CISO is responsible for leading a team of cybersecurity professionals while implementing and maintaining security policies and protecting critical data. Some of a CISO's responsibilities may include but aren’t limited to:
- Managing and organizing a team - CISOs are responsible for managing and maintaining a team dealing with data and cybersecurity issues.
- Develop and implement security strategies - a CISO will develop and manage the organization's information security strategy/policies while ensuring they match the business objectives.
- Risk management - CISO will help a team identify, assess, and secure any security risks and vulnerabilities while developing mitigation strategies.
- Incident response - a CISO will create and lead an incident response plan, ensuring an organization is prepared for security incidents.
- Security audits and assessments - a CISO will coordinate and respond to security audits and inspections controlled by internal or external corporations.
- Security technology evaluation - CISOs will evaluate and encourage new security solutions to improve the organization's security posture.
- Security culture - foster a security-aware culture that ensures that security is present throughout the entire company.
“One of the primary skills required from a CISO is communication. “Both oral and written communication is a must.” Technology awareness and technical skills are the secondary skills needed to become a CISO. “Once upon a time, the Chief Information Security Officer was just the guy with the most technical capability. Now, a CISO has matured into a business manager or business leader.” Furthermore, managerial skills are paramount to working in a high-level position where you are expected to manage teams of varying sizes with different responsibilities.
Under the CISO, several groups work together to solve cybersecurity problems. "I organize my team into a red and blue team. We would usually organize it so that one group would work primarily on anything that would secure us when building infrastructure. This includes bringing in firewalls, VPNs, figuring access rights, privilege rights, and passwords." Then, the other group would act as malicious agents trying to infiltrate an organization's infrastructure. "This group is constantly assessing the infrastructure, running penetration tests, and fixing vulnerabilities. As a CISO, I would lead and navigate these groups through these activities." The CISO will manage a team by implementing strategies and instructing his team on how to actualize this strategy.
What industries need CISOs?
Chief Information Security Officers are required across a range of industries. These facets of our lives include management, education, and local government. Any sector with sensitive data should have a CISO overseeing the organization's security and managing a team of cybersecurity professionals.
CISO at university
As CISO is a high-level managerial position in IT, there are various ways you can ascend to this position. You can obtain a bachelor’s degree in a computer science and information technology field. In addition, you can obtain a master’s degree and even a PhD in a lot closely related to cybersecurity education. Jim states that a CISO usually requires 10 to 15 years of industry experience, but you can bypass this slightly if you have an advanced qualification. You should also consider taking alternative courses and gaining certifications to help you develop risk management skills.
Here are a few courses you could consider if you are interested in becoming a CISO:
- Computer science - this degree provides strong fundamentals in logic, algorithms, and data structures. These are essential skills required for a career as a CISO.
- Information technology - IT degrees detail a vast range of topics relating to the management and implementation of IT solutions. This includes but isn’t limited to, networking, databases, and systems administration. These are critical competencies needed for a CISO career.
- Cybersecurity - this degree will take you through the fundamentals of cybersecurity, help you identify vulnerabilities, and learn techniques to help you mitigate these potential threats.
What employers value
Jim told Cybernews Academy that employers value most experience. Indeed, you may only be able to secure a job as a CISO with at least 10 to 15 years of experience behind you. So, it’s unlikely that a university student can become a CISO when they graduate. However, you can work your way up to this role. “In terms of experience, a student would need to gain risk management skills and get involved with technology risk management early in their career. Because this will give them some of the skills, they will rely on the most. They will be understanding the risks, communicating them, and understanding how to mitigate them.” Many more skills and processes must be learned before ascending to CISO status.
Here are some things that our expert recommends if you are planning to become a CISO in the future:
- Start with education - if you are currently in college, pursue a computer science or information technology degree, as a formal education provides a foolproof foundation for professional development.
- Get experience - remember, a CISO requires at least 10 to 15 years of hands-on industry experience. Secure entry-level positions in cybersecurity and work your way up.
- Apply for internships - engage with companies and organizations that will help you get hands-on experience in the industry.
- Remain in the know - prioritize continuous learning. As the technological landscape evolves, so do the threats that encompass it. Reading articles and other literature, listening to podcasts, and attending meet-ups are great ways to stay updated with the latest technologies.