null
Blog Jobseeker Technology Career development Industry spotlight

How to become a CISO - Chief Information Security Officer

Jacob Vydelingum
Published Date1 Month Ago

Digital transformation, as well as the value of data in an increasingly AI-driven economy, has pushed cybersecurity from a technical concern to a board-level priority. The Chief Information Security Officer (CISO) has become a critical role within the C-suite to not just protect the technology, but also safeguard the organisation’s ability to trade, innovate and remain profitable. 

For cybersecurity specialists aspiring to reach the C-suite, the CISO role offers both opportunity and challenge. Besides technical credibility and understanding, commercial awareness and the ability to influence senior leaders under pressure. Drawing on insights from Hays CISO, Neil Khatod, as well as his colleagues, this article explores what the CISO role involves, how leaders reach it, the skills required, and the trends shaping its future.  

What does the CISO do – and who do they work closely with? 

If you’re interested in this role, you’ll already be familiar with the core responsibilities. In short, the CISO’s purpose is to protect the organisation from threat actors, ensuring continued operations and growth. 

However, due to growing importance of networks, the role is evolving. A modern CISO sits at the intersection of technology, risk and business decision-making. 

Neil explains: “The reason you have a CISO at the table is not because of their technological capabilities. You need to have someone who understands the business and can work with other leaders to identify two things: what must we continue to do to be profitable, and how do we protect that? This could relate to people, processes or technology – a strong CISO is an expert in all three.” 

As new processes or technologies are introduced, the CISO should understand any cybersecurity risks associated and be able to explain these to the rest of the board in a non-technical way. Miguel Duran, Manager for Cyber Security Advisory Services at Hays Americas, stresses: “CISOs who succeed at board level are those who consistently frame cyber risk as business risk.” 

Here are some of the key business relationships that a CISO needs to have: 

  • Executive leadership: A collaborative partnership with the CFO is increasing essential for the CISO, especially when investment in cyber security can easily be undervalued or overlooked. You’ll advise on why certain resources are necessary and how they protect business interests and reputation.
  • Business leaders: The CISO should also have a direct link with any P&L (Profit & Loss) owners within the organisation. The focus of your discussions will largely be on contingency plans. Together, you’ll need to outline how to keep things running as smoothly as possible and put procedures in place in the event of a cyber-attack.
  • Data and privacy leaders: As data becomes both a commercial asset and a regulatory risk, it’s important to guard this and identify potential weaknesses in its security.
  • Network leaders: This is one of the more challenging partnerships for a CISO. Those people who run the networks are responsible for its availability; however, the greater the access to a network, the greater its vulnerability. Managing this balancing act can lead to tension but, as Neil is keen to stress: “if you wait till the moment of crisis to have the relationship, it's too late.” 

What are the paths to becoming a CISO? 

In a recent episode of our ‘How Did You Get That Job?’ podcast, Neil spoke with host Shaun Cheatham and fellow guest Jessica Nemmers, a ballerina-turned CISO. With Neil’s own career in the US Army, this conversation highlighted the different paths available. 

Unlike you’ll find with some C-suite roles, there is no single or linear route to becoming a CISO. In fact, diverse career backgrounds are becoming increasingly common. Broader experience makes it easier to forge successful relationships with other stakeholders, something that people who’ve solely worked within cybersecurity can struggle to do. 

Nonetheless, a history of technical roles is valuable. James Walsh, Director for Cybersecurity at Hays UK&I, explains: “Many senior security leaders transition from broader IT roles because the principles of technology are the foundation for applying cyber controls.” 

Examples of technical disciplines that CISOs have built experience in include: 

  • Network and infrastructure management
  • IT operations
  • Engineering or architecture roles
  • Broader technology leadership positions 

For aspiring CISOs, progression doesn’t just mean getting the right job titles. Instead, ensure that you focus on: 

  • Owning accountability, not just expertise: The extent of your impact will depend on how well you understand your responsibilities and where you can support the rest of the business.
  • Understanding commercial trade-offs: Your strategy, particularly when working with senior stakeholders, needs to be widely informed. You should also know what’s required so you can be reactive to business-critical situations.
  • Building credibility: the CISO role requires you to influence and communicate with technical and nontechnical audiences. 

Which skills does a CISO need to succeed? 

The CISO skill set blends technical understanding with strong human and leadership capabilities. Crucially, it’s not about being the most technical person in the room, but about knowing enough to lead effectively. 

“You can’t be on the keyboard every day,” Neil says, “but if I don’t understand what my team does, I miss the foundations when I’m building the big picture.” 

Technical knowledge 

  • Core cyber security concepts
  • Network and infrastructure fundamentals
  • Data security and privacy principles
  • Understanding of attacker behaviour
  • Compliance frameworks, such as ISO and NIST 

Human and leadership skills 

  • Communication
  • Storytelling to non-technical leaders
  • Relationship building
  • Judgement
  • Constant learning 

Which trends are shaping the CISO role today? 

AI - and the hype cycle 

AI’s capabilities make it a powerful tool for both attacking and securing a network. It’s a shift that pushes CISOs beyond tools and controls into governance, ethics and trust. 

A modern security leader will need to learn about several aspects of AI adoption, including how data is used, how Large Language Models (LLMs) work and how to spot where the hype is overblown, especially among vendors. 

Cybercrime as an industry 

“Cybercrime is a trillion dollar industry,” Neil explains. “There are people whose entire business is finding flaws and selling those exploits.” 

One of the most important shifts happening right now is the professionalisation of cyber-attacks itself. Without understanding this, organisations risk focusing on minor issues while leaving major vulnerabilities exposed. 

As Neil puts it, “This is a fight we’re in. If you don’t understand the business on both sides — the hacker’s and your own — you’ll always be one step behind.” 

Financial restrictions 

Finally, economic uncertainty is sharpening board focus on value and return on investment. As purse strings tighten, CISOs must be able to identify where value lies and which resources are essential. 

“Defend your organisation with the defences you have, not the ones you wish you had,” Neil says. “How do I get the most out of the tools using emerging technologies, and keep the costs down, so that we can stay in business?”

Next steps

 
As Neil's own journey demonstrates, there's no one path to the CISO role. However, whatever your background, there are steps you can take to be in the best position:
 
  • Develop your skills in communicating with non-technical stakeholders
  • Learn what AI can - and can't - do for your defence, as well as infiltration
  • Stay abreast of trends and industry changes.
cyber security
Comment (0)
00

Find more articles