VP Consulting | CISO | vCISO | Mentor | MSc.| CISSP | CCSP | CISM | CRISC | CMMC RP | Building Better Consultants, Better Clients, and Better Outcomes
Predictably, Caleb H. Mattingly, CISSP's post on #cybersecurity #gatekeeping is getting a lot of attention. I think that a lot of folks guard so jealously the #CISO role based on the effort it takes to get to a truly thankless position which is subject to all of the vulnerabilities of the executive suite with none of the spoils that threats to that status are offensive. Pick a thing we've heard over the years. ➡ You can't be a CISO if you don't have the right certifications ➡ You can't be a CISO if you don't have the right degrees ➡ You can't be a CISO if you didn't come up through the #informationtechnology ranks ➡ You can't be a CISO if you've never been a CISO before (yeah; let that marinate a moment. Caleb calls out this absurdist notion in his thread). This 'battle' has apparently stagnated to the extent that the #InfoSec community has now targeted the #consulting community. You can't be a consulting CISO or fractional #cybersecurity leader if: ❌ You don't have the right certifications ❌ You don't have the right degrees ❌ You don't consult on All Things Technology ...And of course: ❌ You've never been a CISO in enterprise I'm not here to debate the value in leaders in this space understanding the technologies involved. I'm also not here to engage the insourcing vs. outsourcing debate. I *am* going to put a flag in the ground here by saying that #business leaders are looking for the CISO role to understand *their* language. Consultants bring a unique perspective to the conversation having had the pleasure and honor of working directly with clients in multiple industries, of multiple shapes and size, and with varying priorities. They didn't come up through the ranks of a singular organization - they came up through the ranks of many. ...Unless, of course, you're dealing with someone new to the organization entirely who's wearing a title they haven't quite earned, but let's be honest with ourselves: that's by no means unique to the fractional/virtual CISO role. I've met more than a handful of 'technology experts' who were pushing cellphone cases at a mall kiosk ten days prior. If you could name three things you wish your CISO knew in five words or less, what would that be?
Security Lead @ AllTrails | Security & Compliance Expert | Real Estate Investor | Space & AI Enthusiast
Cybersecurity gatekeeping doesn't go away once you're in the field. Just last week I saw a post about how foolish it is to hire a vCISO who hasn't held the "CISO" title before. The argument made was that hiring someone who hadn't had that title before was like buying "gas station sushi". It made me sad thinking about that mentality applied across the board. If you can't hire a vCISO who hasn't been a CISO before, how can you hire a CISO that hasn't been a CISO? It's the same role, just at a fraction of the time commitment. There is a real lack of abundance mindset in cybersecurity and a real prevalence of scarcity mindset. "If someone else can take that role, then there's less for me." We have to stop that. It's the reason we have so many open cyber jobs too. "If someone can backfill my role, then they can also steal my new job too." Be the change. Cut out the insecurity and let's build a better cybersecurity workforce (I know that sounds a bit GPT-ish).
My two hiring mantras are "I don't hire people for what they've done. I hire people for what they can do." And "Attitude trumps resume." Get the person with the right attitude who is hungry to learn and takes direction, they will blow away someone with 25 different certifications and a packed resume.
Wow I thought you would get you would get a lot of debate on this subject. I'm interested to hear people's opinions on this matter.
Information Security Leader / vCISO
1moI had a situation a few years ago where a recruiting sourcer had reached out to me about a CISO role for a fairly well-known name in the technology space. I had the criteria that they were looking for, the cultural fit really worked on first glance and everything else lined up. We moved forward and the sourced was evidently “laughed out of the room” by the client’s HR department. (Yes… HR). Their guidance was that in order for me to become a CISO that I should go work for a small non-profit, achieve a specific title and then use that as leverage moving forward. When HR prizes previous titles above capability and other, much more germane criteria… there is a SIGNIFICANT problem. If you’re in this business only to attain and hold a specific title… there is a SIGNIFICANT problem.