The cybersecurity industry had challenges with bringing in new blood and facilitating career growth.
Misinformation has unfortunately played a part in making various roles appear unattainable, when we should be doing the opposite. We should be embracing flexibility, identifying opportunities, and most of all discussing realistic expectations and roles.
I stumbled upon an article titled “Know more about colleges, jobs, and courses to become a CISO” where they outline the role and qualifications for Chief Information Security Officers. I was shocked at the inaccuracy.
Here is my rant in video form.
Who writes this stuff? I think many great candidates would be turned off by this and others, who have some of the listed skills would be surprised by how they are not applicable to the CISO role.
Let’s take a look at a few of the concerning ‘QUALIFICATIONS’ that CISO candidates should possess:
“Understanding of SMTP, DNS, HTTP, Network routing, VPN, and other technologies”
Nope, you have confused us with network engineers/architects. We know what these protocols, languages, tools, and architectures are, but likely would not be qualified to design, configure, troubleshoot, or readily determine the specifics if someone is abusing them. That is why we leverage highly specialized technical experts for configuration and comprehensive inspection.
“Understanding of Digital Millennium Copyright Act, trademark, intellectual property, Safe Harbor Provisions, GDPR, and other federal and international legal precedents…”
You have mistaken us for our close partners, the lawyers and privacy experts. Each of these areas requires a high degree of expertise. Even a small error can become a big legal problem. CISO’s know these areas but are not experts. Again, we partner with others.
“Ability to read and analyze multiple log formats.”
I don’t know of a single CISO who spends their days analyzing logs. That is a SOC level 1 or level 2 function. Important, but the CISO’s time is not well spent on log analysis!
As a kicker, the author has signed us CISO’s up to make “a framework for risk-free and scalable operations “. Risk FREE?! Wow, good luck with that.
The proper function of a CISO is to manage risks to an acceptable level. We cannot eliminate all risks. Even if it were technically possible, which it is not, it would be infeasible due to extreme cost and added friction for users.
I call all this out because misinformation is harming our industry by setting inaccurate expectations. We must clean up job descriptions and clarify the actual roles and responsibilities of positions.
For those interested in more of my rants, insights, and strategic viewpoints, take a look at my Cybersecurity Insights channel: https://www.youtube.com/c/CybersecurityInsights