Certs for a CIO/CISO
VelvetPancakes Registered Users Posts: 1 ■□□□□□□□□□
So one day I would like to be CIO or CISO of a Fortune 500 company. I realize that experience is going to be the most important factor in getting such a position, however, if you had the following qualifications, which Certs, if any, would you recommend attaining in order to speed up the promotion process?
BA in Management
MS in Security
BA in Management
MS in Security
Blog >> http://virtual10.com
You speed up that promotion process by doing the right kind of work. All the rest wont get you there without that, although they would be useful to have alongside appropriate experience.
Degree and where you received it from
Communication skills written and verbal
Type of work you have performed in the past
If you can check of 50% of those or more you have a decent shot if not.......
Connections is probably the most important thing ... Working your way up is certainly possible, but probably takes most of your working life - most CIO / CTOs I know are 50+ years old ...
I think it's one of the most important that's why I listed it number 2. Pedigree imo almost synchs up with connections. Most people who are "in the in crowd" have connections. If you father and mother are high level executives and you show any kind of interest you have a solid shot of moving up into at least management. I've seen it time and time again. Not such extreme examples, but similiar scenarios. I call it being nepotinistic not opportunistic.
You are talking about the 'beautiful people'. Yes they run things, and rotate from company to company with plans for everyone. They tend to bring their buddies along once they have cemented the top job and given them the plumb roles. Dave who was a stalwart for 20 years and loyal to his boss working long hours at short notice gets passed over and sees someone new take the job he wanted and worked towards. He then has to work for that person.
Just a fact of life.
I just need to drop 10 lbs and I should be in... at least after I lose another 10 lbs... and maybe 10 more lbs. That should do it.
I would think going beyond CISSP would be good... maybe CISSP-ISSEP, ISSMP, or ISSAP.
This is one of my goals as well... but I have one specific company in mind without any backups... that's just the way I roll.
Couldn't agree more.
I was Dave for 6 years. I'm not bitter but I've seen it happen with my own very eyes. It's why I got out of the gubment at the time. I couldn't stand seeing people with no experience leading people who could out manage and out lead the so called leader.
While I was at the help desk I saw two new hires come in both with in 3 months, (the required time to spend at the position before getting hired), were promoted to higher more prestigous teams, (PMO and Wintel). Both had finance degrees neither related to IT. The PMO made some sense the server team made no sense. But since they had parents in the company at management levels they moved up quickly. I then later moved to another company and about 4 months later we had a tech come in and he was promoted to system admin. Another child who's parent was working for the same company. Nevermind the guy who once did system admin work for 5 years only to lock onto a help desk when the economy hit bad. They passed him over without giving him an interview.
Like you said just the facts of life.
Not a problem! I wish you the best with your 6 ft 5 stature and your charismatic approach
All I know is when I saw the title of this thread, I immediately thought to myself "cert at the C-level? That sounds like a Master's at a minimum...and even then probably from a decently ranked school...not necessarily Ivy League."
Everything else you said is pretty spot on. The good thing about a Master's from the job postings I've seen is that depending on the degree itself (whether it's in IS, MBA or some sort of Management degree with a concentration of IT in it), years of experience can be substituted with one. That was one of my biggest reasons for me pursing an MSIS degree. However, the want/desire is not enough...you must have your mind right to even want to bother even getting one.
The first thing people think about is management is usually managing people. While that is a big part of it, there is so much more to that. Knowing how to budget, planning a direction that is IN-LINE with the organization's goals, and being a visionary that can make that happen is what makes a great IT manager great.
I agree with this but would like to add more. Since I was and still am (part time) in a strategy/design role I wanted to share my real world experience.
1. Communication is critical it's really number 1. Setting expectations and giving people direction is critical.
2. Planning, Forecasting, Budgeting is critical as well. Not only do you have to plan or control your budget you have to report against it and explain why things are going well or not so well. To much profit in one quarter could be your undoing in the next. Managing against the baselines and controlling the ebbs and flows can be extremely challenging.
3. Like you mentioned ERP aligning the technology with the business strategy is critical. Why do we want this project? Is there a real business need for this tool set etc.
4. Leadership. If you don't have this skill you are going to be hurting. I struggle in a lot of areas this is one that I don't.
This really is important. Not following this was why the dot.com era busted. When IT is the one dictating business, as opposed to the other way around, that organization will sink quicker than the Titanic. This is why I am such an advocate for IT professionals to learn the business needs of their organization as well as their own tech skills. If all an IT professional does is concentrate on the latest tech, it will make the person's career very stale. IT professionals need to add value not just to their job, but to their organization, which will only add value to his/her career.
One can read all the leadership books you want, take whatever classes at any level of college, or even shadow Jack Welch 24/7...."Leadership" is a quality that one either has or you doesn't have. It can't be faked, it can't be learned and then applied...leadership comes from common sense, IMO. A true leader will know when and how to delegate tasks so that the ship continues to sail, when to take the bull by the horns and make sure a critical task is performed, when to use "spin" when something goes wrong (and take appropriate actions to make sure that stuff doesn't happen again.) Etc., etc.
I couldn't agree more.
Let's share more stories about CIO/CTO/CEO..
There are exceptions, but they're gotten by hard work. Remember, it's one thing to improve company efficiency by 100%, but the person seen to improve it by 5% gets the promotion.
The top floor folks can't see through floors, and the social engineers (brown noses, etc.) will manoever their way to being seen to "have done a great job".
FWIW, I'm not bitter, I've just seen it in too many places and it's a game I won't play; hence, self employed.
- that made me chuckle. I don't think I could say that any CIO/CISO that I know fall into that category - at least not the "looks" part.
I imagine that not everyone aspires to be a C-level technology leader. It's not a job that everyone likes to do. And frankly, there's just not that many jobs that are in those roles. While many may feel that it's politics or connections, it's really about hard-work. And staying in a role like that means constant performance at that level because there is always someone else that is looking to do the job if you are not up to snuff.
Most CISO/CIO/CTO's that I know tend to have advanced in their careers through software development tracks - but as they progressed throughout their career - they tend to generalize not specialize.
Here's a guy that, with the help of 4 other people, got me a B in my Information Systems Principles class.
How to Stay Close to the Business CIO.com
Ramon Baez is significant, because he is an example of what I've been talking about in posts in this very thread [before I was even assigned this case study.] He was responsible for alignining IT with a business such as Kimberly-Clark and if I were a CIO today, he would be someone I would model myself after. Though even if I were just in lower management, I would push for a portfolio model; aligning business needs with IT the second a plan is in the formation stage.
I just hope to understand that career path more
That is 100% ITIL. Have a portfolio of service offerings that your customers can view. Consistently moving new ones into play while archiving the services that aren't in demand or that are end of life or doesn't meet the businesses needs. Aligning IT with the business needs to keep the company agile and leveragable.
That's exactly what ST and OSA teach, that's why I went ahead with them. To be honest with you, I thought ITIL was much more informative and helpful from a high level perspective. The PMP/CAPM is so scoped in it's really only useful for project management. And some might say management is management is management.
I tend to believe in that theory, especially since I started reading pure management books and started into the MBA. From both perspectives PMI steals A LOT of theories already out there.
Wow, I seriously did not know that, and I probably would have had at least 2-4 points in my paper if I did. In truth, I kind of took the easy way out with this case and didn't do much of the heavy lifting. (I answered the case questions, and the professor loved my answers for them, and also looked for a few of the sources.)
I will have to rep this, because I learned something new this morning. ITIL will have to be something I really do look at now. Agility was definitely a theme in my ISP course, and we learned how companies are agile through the use of mobile technology.
As someone who has worked with implementers who have used PMI methodologies within project management, I'm definitely not going to discount PMP/CAPM; especially since I see PMPs in sweet demand. A lot of MBA programs tie PM within their programs (including mine.) Still, your point is definitely noted.
But if you are trying to be a true operational manager I think ITIL is more valuable. ***Once you get in the intermediate certifications. But some of their exams can be brutal, I BARELY passed ST and I studied for 4 months and was working in a service transition at the same exact time. It was a perfect storm and the reason why I passed that exam IMO.
Either way you go they are both valuable, I just think you talk strategy so much that the ITIL framework snaps right into your way of thinking and what you are learning.
****However nothing will trump your Masters.
I must admit that ITIL was something I didn't think I would ever have a use for--in large part because I really didn't see what relevance ITIL played, even from a IT perspective. But between my ISP course and a better understanding of ITIL, I think ITIL warrants further investigation after I'm done with my Accounting CLEP studies.
Sometimes it's luck... Sometimes it's hard work.
And, he's never had a certification in any area.
The one ITIL exam that really has me interested, which I won't EVEN think about till I get my MBA is ITIL Service Strategy.
In financial services which I am more familiar, CIO's report into the line-of-business P&L's with their own leadership and there is not solid-line reporting to the enterprise CIO. The enterprise CIO is treated more as a service provider to the line-of-businesses. And the line-of-business CIOs actually drive the priorities of the enterprise CIO.
I would imagine that the path probably varies a bit by industry vertical and organization size. A CIO and CISO’s job can vary tremendously based on how an organization is structured. So there is really no magic career path.
The one thing that I will share – at least in my own experience – pretty much every CIO that I know started their career with a software development background. As for CISO’s and Senior ISO’s – it’s a mixed-bag – but again – they have strong software development backgrounds. CISO’s tend to have much stronger technical skills and most have a penchant for details like legal and privacy matters.
In the organizations that I’m most familiar (again financial services vertical) – CISOs will usually solid-line report to either a CIO or COO with close ties to an enterprise security or risk function. Some organizations don’t have CISO’s but instead have a risk or compliance officer and the infosec function is centralized and supports the line-of-business head of compliance or risk.
Getting to the these jobs typically can start with an IT role but usually require years of general management and business experience as well.
The traits of these types of individuals are as N2IT indicated – leadership, a holistic view of the world, and more importantly lots of hard work. I realize that a lot of folks believe that politics and connections play a larger part in reaching senior leadership positions but the truth is that politics and connections will only get someone so far – it’s about performance and contribution to the bottom line that is the measuring stick.
I guess it all depends on the company, there are 500 fortune 500 companies and ~5 is a small sample set. I think the bottom line is in the individual them self. I've seen a CEO of a fortune 500 company only have a bachelors. It just varies to much to stereotype effectively.
What kind of degree? any details?
It's usually both
Here's a story of how NOT to become a CIO (or leader in anything):
An ex-colleague of mine. He is older than me, had more experience than me, but he was working in a different area (Virtualization). He spent his time talking about how some of our colleagues got promoted because of their connections and not because of their hard work. He never shut up. He kept talking behind everyone's back, and it eventually came to management. Management knew that he has a big mouth.
A year later, a big project came (think Millions $$ project) where his expertise were needed. He screwed up. He didn't have the technical expertise needed for the project (although he was trained, and he claimed to be the 'god' of that technology). He didn't meet management's expectations. He lost an excellent opportunity.
Moral of the story, the guy should have used his time better. He could've invested in himself rather than wasting his time talking about politics. He lost a golden opportunity.