Goal: CISO - Next step: MSc or OSCP or MBA?

jonwinterburn

Hey all.

Looking for some advice on what direction to take my studies next, as I cannot decide!

Experience: 20 years in IT & Security (technical, hands-on plus some management), the last 5 years I've worked exclusively in security. I've worked in 4 companies (one a huge corp) and have been relatively successful, working up from InfoSec Analyst to now holding the CISO role in all but name (I do the job of the CISO, managing a small security team, but don't have the title - there is no CISO and it looks likely there never will be, where I currently am).

Goal: reach proper CISO level, leading a larger team, earning more money

Qualifications: I hold CISSP, ISO 27001 Lead Auditor/Implementer, HCISPP and a myriad of IT certs. I do not have a bachelor's degree.

Choices:

1. Study for MSc. Advanced Security & Digital Forensics, online at a reputable university (I've been unconditionally accepted for September start, without BSc based on experience, certs and references) = 2.5 years & lots of money, but I don't know if I want to commit to it, nor if it will give me any real value for money

2. Forget the MSc (a lot of money and time and blah blah blah) and instead focus on achieving up to date skills and certs: OSCP, OSCE, CCSP

3. Forget all the technical stuff and study for an MBA = 2 years, lots of money and more blah blah blah

What do you think? Is it worth spending the time and money on the MSc, given the above? Would it be better to go for more technical certs, as per option 2? Or should I hang up my techie shoes and go all in for MBA?

All the CISOs I've met and worked for have had no technical knowledge, just conceptual. They talk management speech (which I can do quite well), but they bluff the technical stuff (which people like us can see right through). I don't want to be an "old-school" blah blah CISO; I want to be the CISO that delivers value to the business, understands his people, speaks their language and bridges the gap between cybersecurity and management. I believe a good CISO should not just be able to influence the board, but also be able to roll up his/her sleeves and muck in with the techies. Do you agree/disagree?

Thanks for taking the time to read my ramblings

mikey88

You'll need a masters I'm afraid with any fortune 500. Go on LinkedIn and lookup CISOs for the companies you want to work for and you'll see what I mean.

jonwinterburn

mikey88 said:

You'll need a masters I'm afraid with any fortune 500.

Perhaps. Although my last employer is in the top 10 on the fortune 500 and they accepted me for a senior role (not CISO) with no degree - admittedly in their UK branch.

paul78

jonwinterburn said:

All the CISOs I've met and worked for have had no technical knowledge, just conceptual. They talk management speech (which I can do quite well), but they bluff the technical stuff (which people like us can see right through). I don't want to be an "old-school" blah blah CISO; I want to be the CISO that delivers value to the business, understands his people, speaks their language and bridges the gap between cybersecurity and management. I believe a good CISO should not just be able to influence the board, but also be able to roll up his/her sleeves and muck in with the techies. Do you agree/disagree?

I'm curious what industry you work in? I personal believe that to deliver value to a business, a good C-level tech exec is going to really need to understand the industry that they serve. I actually don't believe that a CISO needs to roll up his/her sleeves and muck with the techies. Any more than a CTO needs to be writing code with the engineering team or the CIO needs to be configuring routers and switches. That's really not their job and it doesn't add value to the business. It's more important to be able to set strategy and vision, run an effective operations team, and align with the business needs.

About your question about how to focus your studies - I have no suggestions. I think it's really about what you like to do and where you see your skill gaps. Like you, I don't have a bachelor's degree so I don't think you need to necessarily worry about it. But I favor relationship building and networking as a means to boost my career. Perhaps that's where you should focus your efforts on building your brand through speaking engagements and networking opportunities instead of structured studies. Just a thought....

UnixGuy

CIO/CISO/CSO/CTO are business roles not technical roles, so a technical masters/certs won't help. Networking, getting into a tier 1 consulting firm, or moving up within your current company is your best bet. Get the best MBA you can afford / get admission to on campus would also help immensely but there are no guarantees. 


Start thinking of getting management experience, you need to learn more towards getting a manager/GM/exec roles than a techie role. 

Danielm7

Today I learned, you can get an MS/MBA without a BS first. 

jonwinterburn

Thanks for the input, guys. Hard decision to make.

jonwinterburn

Danielm7 said:

Today I learned, you can get an MS/MBA without a BS first. 

Yes, you can - although not easily, there are still prerequisites.

In order to do an MBA, I will have to complete a 1 year professional cert in management first, then pass GMAT exam, and submit 2 written references from former employers stating my experience and suitability.

I was accepted on the MSc. Security course based on my lengthy experience, current certifications, 2 written references from former employers stating my experience and suitability, an interview with the Uni and a written personal statement.

CyberCop123

I wouldn't recommend OSCP/OSCE or any other technical certification if you're going for a CISO role.  

I think with your experience you've got a good chance of landing a CISO job and I'm honestly not sure how much good an MSc or MBA would do for you.

I've not done anything around CISO work but every job I have gone for and interviewed for has never ever focussed on degrees or masters.  It has focussed quite a bit on certifications.  However, most of the time the companies just asked about *ME* and it was more a case of them wanting to see if they liked me, and if I had the sort of personality they wanted. 

jonwinterburn

Thanks for your insight, CyberCop123. You raise a good point. I guess I'm just hedging my bets with recruiters; once I get past them, it's usually plain sailing as I usually do well in interviews.

But it's not just about that. I need to keep studying to improve myself, or I stagnate. However, I'm lazy, and without a goal - be it gaining an industry cert or degree - I don't stick to my studies. Since 2016, I've struggled to find the next big cert to study for, especially after studying and passing exams for pretty much the 15 preceding years. I always had a clear goal and now I don't. That said, I don't want to waste my time and money on something that won't benefit my career.

Maybe I should look at CISM to complement my CISSP...

CyberCop123

jonwinterburn said:

Thanks for your insight, CyberCop123. You raise a good point. I guess I'm just hedging my bets with recruiters; once I get past them, it's usually plain sailing as I usually do well in interviews.

But it's not just about that. I need to keep studying to improve myself, or I stagnate. However, I'm lazy, and without a goal - be it gaining an industry cert or degree - I don't stick to my studies. Since 2016, I've struggled to find the next big cert to study for, especially after studying and passing exams for pretty much the 15 preceding years. I always had a clear goal and now I don't. That said, I don't want to waste my time and money on something that won't benefit my career.

Maybe I should look at CISM to complement my CISSP...

Yea CISM would be a good option.  
Also the cloud based one would be good too - CCSP 

NetworkNewb

I'd probably go the MBA route... Get a cert, pass the GMAT, and get the couple references. These don't seem like too big of things to get to me as prereqs. Just looked at a handful of CISO job ads and most seem to at least require a bachelors degree. Could always just get the Master's in Security that you were already accepted to as well. I know there are fairly cheap options for that (WGU). Either way I would go after a degree based on the short amount of research I did.

UnixGuy

To elaborate more on my recommendations, here's a list of some of the tasks that you might do as a CISO:

1) Manage P&L (Profit and Loss) for the business unit that you're managing. It'll be either you or a General Manager under you that does that. Either way, you need to understand P&L very well. Can you read an accounting balance sheet? Can you pin point and explain why the COGS cost went up last financial year? Can you budget to justify how your investment will fit in within the overall corporate budget? Do you know how to read your coporate financial forecasts for the next financial year? do you know how to interpret them and use them?

2) Do market research that's not just Googling stuff. You need to use evidence and data (because you'll be asked about it by other executives). This can be done using research firms...but at least be aware of how data analysis work on a basic level

3) Develop a strategy. What will your department (or part of the business) do in the next 3-5-10 yrs? and Why?

Have you read the overall corporate strategy FIRST? Did you understand it? Because your strategy MUST align with it otherwise it will be rejected.

Have you addressed all elements of your strategy? what about supplier relationships? have you budget for all of that? How are your margins looking?  Did you develop a roadmap that articulates clearly how this strategy will be implemented?

4) Meetings. Lots and lots of meetings (think 80%+ of your time is here). 'Influencing stakeholders'. How comfortable are you talking to the CFO convincing her/him that you need X amount of budget to hire X amount of people who seem to quit every 6-18 months? Did you schedule catchups with the head of marketing?

The Chief Marketing Officer is asking about your opinion regarding new investments in brand equity to target a new emerging segment, do you have the knowledge to have a meaningful conversation with her/him?

Do you have rapport with the seemingly influential head of People & Culture?

5) Presentations. How good are you in presenting? Can you present to room full of old grumpy executives who don't care about your expensive IT & how your department did last year? Can you show clear KPIs ? Have you got your spreadsheets diagrams ready? Does your Powerpoint look clear enough? Are you sure you explained to them why you spent so much money on Imperva WAF yet the company still got compromised via a phishing attack? They're not convinced, what are you gonna?

6) Your CEO insists on investing in AI/Machine Learning/ and blockchain. Can you explain to her/him why this is a bad idea? (I know a CIO who was FIRED because he didn't want to invest in AI/Blockchain, he is a family friend).

7) the CFO doesn't like you, for no obvious reason. They ignored your meeting requests, claims to be too 'busy' for you, and seem to insist that all your investments are pointless. What are you gonna do about it?

8) Your budget requests got rejected, yet more funds were allocated to team building activities and workshops for the HR department. You are pissed off. How are you gonna deal with your subordinates? They are upset because they can't hire more people, they're stressed out, over worked, and underpaid..someone quit, now your team is under resourced. What to do?

^^ I hope those example explain why an OSCP/CCIE aren't the correct pathway to a CISO (or any CxO) type role.

paul78

@UnixGuy - I think it's pretty uncommon for a CISO to manage a P&L. Most tech exec organizations are cost centers and not profit centers. So budgeting and expense forecasting are more important than revenue forecasting.  Also, I didn't usually have to deal with the balance sheet statements, it was always mostly impact to cash flow that was important to me.

However - you point is valid - any CxO exec needs to understand a little finance and accounting.

Personally, I don't know why anyone would want to be CISO - average tenure for a CISO these days is less than 2 years. And it's a thankless role in many companies.

UnixGuy

paul78 said:

@UnixGuy - I think it's pretty uncommon for a CISO to manage a P&L. Most tech exec organizations are cost centers and not profit centers. So budgeting and expense forecasting are more important than revenue forecasting.  Also, I didn't usually have to deal with the balance sheet statements, it was always mostly impact to cash flow that was important to me.

Good points! The CxO tech people I saw who dealt with that were mostly regional execs from tech companies (think Microsoft executives in the APAC region..)

Agreed on the CISO being a thankless job, they get blamed for any cyber breach, and they don't have the influence that other execs have (like CFO or even heads of HR..). It'll mature more in the coming years or it'll be just integrated with the CIO/CTO role from the look of it

paul78

UnixGuy said:....it'll be just integrated with the CIO/CTO role from the look of it

YES! - I definitely do see that today. And in some ways, I actually think it could make more sense. I waver in my opinion about whether some organization should have a CISO title or simply a head of infosec that is part of a CIO or CTO org.

Interesting to hear about Microsoft. There are definitely organizations where it can make sense to have a tech exec have profit-center accountability. Now that I think about it, I do have friends with P/L responsibility in their CIO and CTO orgs. And I do remember having a small P/L in my org at one time. Although, I can't imagine how that would work in a CISO org unless it was some kind of managed security service to customers in some b2b company.

UnixGuy

paul78 said:

UnixGuy said:....it'll be just integrated with the CIO/CTO role from the look of it

YES! - I definitely do see that today. And in some ways, I actually think it could make more sense. I waver in my opinion about whether some organization should have a CISO title or simply a head of infosec that is part of a CIO or CTO org.

Interesting to hear about Microsoft. There are definitely organizations where it can make sense to have a tech exec have profit-center accountability. Now that I think about it, I do have friends with P/L responsibility in their CIO and CTO orgs. And I do remember having a small P/L in my org at one time. Although, I can't imagine how that would work in a CISO org unless it was some kind of managed security service to customers in some b2b company.

I agree with organizations not needing a CISO, a head of of InfoSec reporting to a CIO/CTO is enough, where the CIO/CTO can manage overall investments in technology (including security) rather than having them operate in separate functions. I also found the CISOs usually lack both technical depth and business knowledge, they're kind of in between and it's an overall difficult position

True regarding Microsoft. Most vendors will have execs/directors in different regions, and they have strict sales targets, so it's more like a sales director job, but with an exec/VP titles. It helps them have conversation with the execs they're selling to

paul78

@UnixGuy  - so does that change your recommendation to @jonwinterburn

I stand by my original recommendation which is that I don't actually have a recommendation on studies. Instead I think that focusing on relationship building (i.e networking) , soft-skills, and business/industry knowledge will be more important.

@jonwinterburn  - I was re-reading your original post - is your goal really to be a CISO or is it to make more money? From your description, it sounded like you are essentially head of infosec already and that the only reason you don't hold the CISO title is because your employer doesn't have a CISO role. Perhaps one thing you can do is to ask your current employer for a title change.

If your goal is really about increasing your income, there could be better ways to get there - afterall - after you are CISO, what would you do next? :-)

UnixGuy

paul78 said:

@UnixGuy  - so does that change your recommendation to @jonwinterburn

I stand by my original recommendation which is that I don't actually have a recommendation on studies. Instead I think that focusing on relationship building (i.e networking) , soft-skills, and business/industry knowledge will be more important.

haha no quite, I just wanted to emphasise that more technical certs aren't the pathway to C-Level job, which is pretty much what you said as well

jonwinterburn

Wow - lots of great input here, thanks!

@UnixGuy - 3, 4 & 5 I have been doing for 4 years now, so very comfortable with those aspects. 1 & 2, not so much.

@paul78 - Yes, I'm the head of InfoSec, but CISO title is off the table (made clear to me). Yes, money is the main driver. After CISO, the goal would be to work up to CIO. But money aside, I do enjoy leading my small team and setting strategic objectives, reducing risk to the business, delivering solutions to tricky problems, etc.