In addition to pursuing CISM (Certified Information Security Manager), CISSP (Certified Information Systems Security Professional), and CEH (Certified Ethical Hacker) certifications, up-and-coming security professionals are adding formal business training to their CVs—a budding requirement as IT security becomes a board-level issue and a top priority for the C-suite.
According to a Forrester Research survey, 43% of Fortune 500 CISOs now have a graduate degree and of those, nearly half (45%) have secured their MBA. While a formal MBA isn’t a requirement for a top security post, experts say professionals interested in climbing the corporate ladder must augment their technical chops with critical business skills in areas like contract management, revenue models, and communications.
The additional training is critical, they contend, as the CISO role becomes less internally-focused and more central to connecting security and risk objectives to strategic business goals.
“In order to elevate to where they need to be in the company, the CISO needs to understand business strategy and the mission, vision, and corporate goals,” notes Summer Fowler, technical director for Cybersecurity Risk and Resilience at the CERT Division at Carnegie Mellon’s Software Engineering Institute. “At the same time, the company needs to understand that this role is very integral to achieving those business goals, not just cyber security goals.”
Along with MBA programs, CMU’s Executive Education program at Heinz College offers a six-month CISO certificate, which offers a blended technical and business curriculum in recognition of the growing need for business-focused, IT security training.
The program, a combination of on-site and synchronous distance learning, covers the traditional technical topics such as threat and incident response and cyber risk management along with strategic business training in financial management, crisis communications, and acquisition planning for operations.
Fowler says the Heinz CISO program strives to be forward looking, concentrating on the skills required for a changing role where CISOs no longer just manage security risks for internal data centers and applications, but engage in third-party vendor management given the shift to cloud and mobile.
“The CISO’s role is changing from being inward-facing to managing relationships and risks outside of the company just like the CIO,” she explains. As a result, Fowler says it’s now critical that CISOs be versed in areas like contract negotiations and service level agreements (SLAs) while being comfortable communicating to the board of directors and the C-suite about security issues in a language they can understand. “CISOs need to get out of their comfort zone of bits and bytes and technology and be able to understand how their actions support all the other business functions,” she explains.
According to a Forrester Research survey, 43% of Fortune 500 CISOs now have a graduate degree and of those, nearly half (45%) have secured their MBA.
The Language of Business
For Kevin Morrison, now head of information security for Jones Day, that was the very reason he entered an MBA program in 2007, after four years of working in the technical security ranks as a network administrator. Morrison quickly realized he knew very little about the business side, which made it difficult communicating with leaders in other functional areas about their security concerns in a way that was compelling.
The full-time evening MBA program, which Morrison attended after work two nights a week for two years, not only provided practical business training, but it exposed him to executives in other areas like human resources, finance, and marketing, which Morrison says gave him a completely different perspective on how the rest of the company understands and views security.
“It has given me a different mindset as I approach what we are trying to accomplish as a team,” he explains. “It allows me to have conversations with others in a leadership position in a way they can appreciate. I now understand and can put together budgets, I know the difference between OpEx and Capex—this is not something they teach you when you get a CISSP.”
Shaun Miller, an information security executive who now has a CISSP, CISM, and an MBA, says having formal business training has better positioned him to be the bridge between IT and business, helping to map the right security technologies and risk profile to the company’s strategic business goals. He decided to enter an MBA program 10 years ago after recognizing that IT security was going through a paradigm shift, becoming a business issue, not a technical problem.
“If you have a data breach or any sort of intrusion, it’s a business problem—the share price can do down or companies can go out of business,” he explains. Miller says he quickly recognized he was on the hook for security problems even if he didn’t have the authority to make needed changes.
“I needed to be able to communicate with other functional areas and the board of directors in terms they could understand,” he says. “I had to make the case that information security was no different than any other business risk—the causes and effects were different, but the end result was the same.” While an MBA gave Miller the tools to have those conversations and elevate his role, he acknowledges that it’s not for everyone.
At the same time, however, Miller agrees that aspiring CISOs must do something to advance their business skills, whether that’s through seminars or other certifications. “There are all kinds of things you can do, but you have to do something,” Miller says. “You can’t go from plugging away as a security analyst for 20 years and expect to be a CISO without learning and expanding your knowledgebase.”
We encourage you to share your thoughts on your favorite social platform.