How To Become a CISO (Chief Information Security Officer)

As the importance of cybersecurity is becoming increasingly apparent to major corporations and other organizations, IT professionals have been edging their way into the C-suite. One example is chief information security officer (CISO) — a position that many corporations have embraced, modernizing their organizations to take on the challenges of the 21st century. Could a C-suite position be in your future? In this guide, you’ll learn how to become a CISO, including important CISO responsibilities and skills.

In This Article:

• The History of the CISO
• What Is a CISO? Core Job Responsibilities of the CISO
• How Do I Become a CISO?
• Careers for Chief Information Security Officers and Cybersecurity Degree Graduates
• What Experience Do I Need To Become a CISO?
• Further Recommendations After School
• The Future of the CISO Role

The History of the CISO

Steve Katz is widely recognized as the world’s first chief information security officer.¹ Katz began his career in cybersecurity consulting before cybersecurity was a buzzword. During the next few decades, Katz’s job responsibilities continued to evolve as PCs were introduced, and he climbed higher on the corporate ladder to eventually become the CISO of Citibank. In 1994, the importance of cybersecurity hit home to the corporation when there was a massive data breach in the international funds transfer system.¹ In response, Katz was named as the CISO of the world’s first cybersecurity executive office.

Today’s CISOs don’t have quite the uphill battle that Katz faced. Modern CEOs and CFOs have a better understanding of the damage a data breach can cause and the importance of strong cybersecurity measures. The potential setbacks hackers can cause add value to the chief information security officer’s role.

What is a CISO? Core Job Responsibilities of the CISO

Every organization has unique needs and business processes. At some corporations, the CISO is given free rein while at other organizations, the CISO has less creative discretion. So, what is a CISO? All CISOs have considerable decision-making powers. Some of the best employees in this occupation can pull management and security together.

Some core CISO responsibilities include the following:

• Recruit and hire for information technology jobs
• Lead a team of cybersecurity professionals to accomplish goals that benefit your workplace
• Develop a strategic plan regarding the formulation of cybersecurity programs and measures
• Oversee the creation and compliance of the organization’s security policies, procedures and standards
• Develop comprehensive risk assessments based on audits of existing tech systems
• Stay alert to new cybersecurity threats and evolving infrastructures

In addition, a savvy CISO will remain mindful of the importance of continuing education and professional development. They will spearhead efforts to connect the IT staff to training programs. Keeping a well-trained staff is an important task for any manager so they can handle complex IT issues.

The CISO responsibilities may also design and implement cybersecurity education training programs designed for the average (non-IT) employee at the company or for the consumers the company serves. These courses can help to have other departments and consumers make smarter choices online. In short, a typical CISO’s day is divided between technical duties and non-technical leadership responsibilities.

How Do I Become a CISO?

Becoming a CISO is an excellent career choice if you enjoy leadership, security and working with government insight, lawmakers and policymakers. An undergraduate degree in any information security discipline, such as a bachelor’s degree in cybersecurity — or in business administration — would be an excellent prerequisite.

Future CISOs usually go on to pursue a master’s in cybersecurity degree or certifications in cybersecurity. This specific position requires exceptional drive, determination, dedication, strong leadership skills and a forward-thinking mentality. One of the most important CISO responsibilities is to remain continually educated on the latest trends in the field.

Important CISO Responsibilities and Skills

• Strong Technical Background: Students looking to become cybersecurity specialists or a CISOs should have a strong technical background and should understand how to use technology to protect data, networks and systems. A CISO should possess knowledge about current threats and vulnerabilities that equips them to design and implement effective security infrastructures.
• Highly Organized: Because cybersecurity involves managing multiple projects simultaneously, cybersecurity professionals and CISOs must have a clear vision and plan of the security and schedule to implement changes quickly and effectively. Setting and meeting deadlines is crucial, as most cybersecurity projects require quick turnarounds.
• Effectively Manage People: CISOs must be able to provide clear directions, set expectations and support the people they manage. Strong leadership skills, including motivating teams, are crucial skills to create a positive work environment as a cybersecurity specialist or CISO. Leadership skills can be learned through mentorship programs, business certificate programs or an MBA in Cybersecurity degree.
• Ethical Innovator: CISOs are innovative, ethical and always looking for new ways and best practices to improve their organization’s security. CISOs understand the importance of data privacy, compliance requirements and staying updated on regulations. Experimenting with new technologies, attending conferences and networking ensure cybersecurity specialists become ethical innovators.

Additionally, cybersecurity degrees often culminate in a capstone course where students use their newly learned skills to develop a full cybersecurity program. Completing a capstone course demonstrates proper use of CISO responsibilities while taking ethical or legal challenges into consideration.

Careers for Chief Information Security Officers and Cybersecurity Degree Graduates

Cybersecurity degree programs teach students how to become a CISO by providing hands-on learning experiences and deep dives into the CISO responsibilities that prepare graduates for success in challenging, high-tech careers. A cybersecurity degree guides you on how to become a CISO by meeting specific core competencies that include the following:

• Risk assessment
• Security policies
• Principles of cybercrime
• Identifying attack vectors
• Impact and analysis of failed security measures
• Encryption protection
• Layered security defense strategies

The demand is high for CISOs and highly trained cybersecurity specialists. According to the 2022 (ISC)² Cybersecurity Workforce Study, there is a need for an additional 3.4 million professionals in the global cybersecurity workforce.⁶ Some job opportunities for cybersecurity specialists who have CISO responsibilities and skills, as well as a master’s degree in cybersecurity, may include the following:

• Computer network architect
• Database administrator
• Computer and information systems manager
• Database architect
• Network and computer systems administrator
• Computer system analyst
• Information system analyst
• Information security analysts
• Computer and information research scientists
• Software developer
• Software quality assurance analyst and teacher
• Data scientist

If you enjoy planning, coordinating, analyzing and securing networks for organizations, you may find fulfillment in learning how to become a CISO, or in pursuing jobs as a chief information security officer or computer systems analyst. According to the U.S. Bureau of Labor Statistics, the median computer systems analyst salary was $99,270 in May 2021.²

What Experience Do I Need To Become a CISO?

Everyone will have their own story and pathway to becoming a CISO, and employer requirements may vary. However, most CISOs have eight to 10 years of professional experience in information security, as well as a few relevant certifications. Although several different paths can be taken to become a CISO, most positions require a bachelor’s degree as well as extensive cybersecurity and leadership experience. Aspiring CISOs can pursue bachelor's-level computer science or cybersecurity degrees, whereas others may choose cybersecurity-related degrees such as information assurance, computer engineering and computer forensics.

How Long Does it Take to Become a CISO?

Becoming a CISO typically takes several years of experience in information technology (IT) and information security (IS). Many CISOs hold advanced degrees and certifications in the field. The exact time frame for becoming a CISO will vary depending on individual factors such as education, experience and professional development opportunities. It's important to have a solid understanding of the industry, current security trends and best practices, as well as experience in managing teams and projects.

Further Recommendations After School

After getting a degree, you should consider getting certifications. One of the top certifications for anyone in the cybersecurity field is the CISSP (Certified Information Systems Security Professional). The certification shows you can create and implement a strong and secure network. It is important to note that you must have five years of paid work experience before taking the test.³

The PMP (Project Management Professional) is another certification that is worth considering. A PMP is a certification based a project management and learning the best methods to leadership. Managers who earn this certificate will have a nice credential on their resume. Once you earn a four-year degree, you must have 36 months leading various projects. Alongside the project leadership, you’ll need 35 hours of project management training or obtain a Certified Associate in Project Management (CAPM®) Certification.⁴ A CAPM® is their entry-level certificate for those wanting to pursue management.⁵

The Future of the CISO Role

Just by taking a quick look at Steve Katz’s career as the first CISO, it’s easy to see how rapidly this managerial position has evolved over time. It’s expected that, like cybersecurity itself, the role of the CISO will continue to be redefined during the coming years and decades.

One anticipated trend is the need to define an overarching, long-term cybersecurity strategy for each organization, rather than allowing a company’s information security program to be immediately affected by each new headline about data breaches. Future CISOs will need to be visionaries who provide strong leadership to keep the company steady even amid temporary cybersecurity setbacks.

The College of Science, Engineering and Technology at Grand Canyon University (GCU) is a leader in cutting-edge tech degree programs. When you earn your Master of Science in Cybersecurity, you will be better prepared to pursue high-level leadership positions within cybersecurity. Additionally, if you have an undergraduate degree in a field other than cybersecurity, consider applying for GCU’s certificate in cybersecurity to learn more about how to become a CISO. Fill out the form on this page to speak to an academic advisor about pursuing an education in cybersecurity.

Retrieved from:

¹ Cybercrime Magazine, Backstory Of The World’s First Chief Information Security Officer in August 2021

² The earnings referenced were reported by the U.S. Bureau of Labor Statistics, Computer Systems Analysts as of May 2021, retrieved on Feb. 14, 2023. Due to COVID-19, data from 2020 may be atypical compared to prior years. The pandemic may also impact the predicted future workforce outcomes indicated by the BLS. BLS calculates the median using salaries of workers from across the country with varying levels of education and experience and does not reflect the earnings of GCU graduates as computer systems analysts. It does not reflect workers’ earnings in one city or region of the country. It also does not reflect a typical entry-level salary. The median income is the statistical midpoint for the range of salaries in a specific occupation. It represents what you would earn if you were paid more money than half the workers in an occupation and less than half the workers in an occupation. It may give you a basis to estimate what you might earn at some point if you enter this career. You may also wish to compare median salaries if you are considering more than one career path.

³ (ISC)2, CISSP Experience Requirements in August 2021

⁴ Project Management Institute, Project Management Professional (PMP)® in August 2021

⁵ Project Management Institute, Certified Associate in Project Management (CAPM)® in August 2021

⁶ (ISC)², (ISC)² 2022 Cybersecurity Workforce Study in March 2023

Approved by faculty for the College of Science, Engineering and Technology on Feb. 15, 2023.