I Asked Three CISOs How To Succeed In Cybersecurity. This Is What I Learnt …
Their Advice Changed My Career Trajectory
I started my Cybersecurity career nearly two decades ago.
Cybersecurity was still maturing at that time, and companies were scrambling to ensure their systems were not compromised.
CISSP or CISA Certified professionals were in hot demand!
I had already decided my career trajectory and where to be in the next 5 years.
I would do a new certification every year, learn new skills, and then get promoted to a CISO position, which was my end goal.
But something changed along the way...
I would speak regularly at seminars and have the opportunity to speak with CISOs who were much further along in the journey than I was.
I made it a point to ask them about my career plans and what advice they could give me.
Some of the tips they gave made me completely reevaluate what career path I wanted to take and what skills I should focus on!
The best thing is that this advice is as applicable today as it was 20+ years back
1 — “Risk Management Is King”
The first CISO told me to build my risk management skills
I gave him the standard robotic answer, “We are certified by ISO, NIST blah blah.”
He politely told me to stop talking and focus on ACTUAL risk management skills and not fill out an Excel spreadsheet
Most cybersecurity professionals memorize what risk management is from a CISSP or CISM textbook but rarely practically apply it
Risk management is not about an Excel spreadsheet .. it is about making pragmatic, difficult decisions that you can back up by cold, hard data
It does not matter whether you are securing a legacy AS400 system or the latest GenAI program .. you need to learn risk management
One CISO told me about this scenario:
“ We got hit by a ransomware attack that shut down our operations and demanded a hefty ransom .. the pressure from the business was immense.
Executives were going crazy about the financial loss and operational disruption.
We quickly assessed the impact, identifying affected systems and analyzing the financial implications.
I had my team research the attackers’ credibility, and the risk of future attacks, if we paid, was crucial. We explored alternatives, like restoring from backups, and activated our incident response plan.
With input from legal, finance, and IT, and consultations with cybersecurity experts and law enforcement, we weighed the risks and benefits of paying versus not paying, considering our risk tolerance and long-term strategy.
Despite the mounting pressure, we decided not to pay the ransom, focusing on recovery via backups and enhancing our security measures.
This structured risk management approach allowed the company to make a well-informed decision that balanced immediate impacts with long-term security. It also justified this decision in front of the CEO! ”
2 — “Soft Skills >>> Technical Skills”
“Technical skills only take you so far ..“ was a hard truth to hear at a time when I was upskilling my skills like crazy
But it is the truth if you want to move up!
It is incredible how many Cybersecurity professionals freeze up when
Presenting findings to management and thus drowning them in “techno-babble.”
Being confronted by management when cybersecurity controls affect business operations
Justifying why x Cybersecurity solutions cost so much and why they simply cannot remove it
If you want to succeed in Cybersecurity .. focus on these skills
Communication
Learn how to explain complex topics without using technical terms. Choose a non-technical colleague with whom you are friendly and then practice explaining a complex cybersecurity concept to them.
Presentation Skills
Instead of taking that next hacking course .. join a group that focuses on improving your public speaking skills. Learn how to use graphs and other visuals to improve your data
Negotiation
Whether you are bargaining for your promotion or justifying the next AI-powered firewall… you need to learn how to negotiate especially when approving / rejecting stuff.
Being the “NO” guy every time will simply make people bypass you and give you a bad reputation.
Instead of saying “NO” .. learn to say “YES .. BUT.”
Learn how to develop good listening skills to understand where the business is coming from
Conflict Resolution
Easily the one I would focus on the most
Learning to stay calm under pressure is essential for a job like Cybersecurity, where incidents might happen anytime.
Instead of having a panic attack.. learn how to calmly analyze situations and break them down into small, manageable chunks.
Remember that the team might be looking towards you for guidance and staying calm goes a long way in keeping the team organized.
3 — “You Do Not Have To Become A CISO To Be Successful”
This is the advice I deeply regret ignoring.
One CISO told me how reaching his title should not be the end goal, which I simply could not accept.
I became a CISO five years into my career and realized it was not the glorious position I thought it would be
I was spending more time making PowerPoint presentations than doing actual cybersecurity work!
There was also a lot of conflict involved where businesses wanted applications to launch TODAY and simply would not take NO for an answer.
I realized that I was much happier with a balance of technical work and the occasional advisory role, so I moved into Cybersecurity consulting.
Honestly, this is the job I have enjoyed doing the most!
Do not blindly follow other people .. find out what your end goals are and what you value doing the most in Cybersecurity
It is very much possible to earn the same salary as a CISO without the pressure and baggage that comes with it!
