I'm a cyber practitioner. Can I ever get to C-level?
08:00 Wednesday, 24 November 2021
UK Cyber Security Council
We write regularly about the skills gap in cyber security: a drought of candidates to fill an excess of vacancies. And we are right to do this because it is a tangible problem that will take money, effort and time to address. We do, however, tend to focus on the low- and mid-range roles, discussing at length how we can attract school-leavers and graduates into jobs, and persuade mainstream IT staff to diverge into a cyber-specific career path. But what about the later years of one's working life in cyber security? Once we are in a cyber job, and pursuing career development, what are the options?
Some security specialists will undoubtedly want to remain in hands-on technical careers, and it is rare (one might even say unwise) for a C-level person to be a hands-on techie in anything but a small company. Senior executives are there to define strategy and lead progress, not to patch servers and upgrade firewall firmware.
Many cyber people will, however, have aspirations of developing and becoming senior managers, execs and directors. We have a problem here, of course: with cyber security being a relatively new field, many organisations have yet to decide that they need a Chief Information Security Officer (CISO). And those that two have often decided that it's not - or not yet - sufficiently significant for the CISO to be a full C-level position, and place it so it reports into the CTO, COO or CIO.
Does this mean, then, that a senior security person in the average business with aspirations to become a C-level executive is out of luck, and might just as well resign himself or herself to middle management for the rest of their career? Well, if the aspiration is to be a C-level CISO then very possibly yes, because you can only do that if your chosen company has a C-level CISO.
But what's in a job title? It's not the title that matters, it's the nature of the job. Who cares if you're called the CISO if the role is dull and unmotivating? Just as with any other job, if you look directly upwards and there's no route that way, look in other directions. The obvious direction to consider is into the more general field of risk: cyber security and risk are closely related anyway, and the overlap of skills between the two areas is palpable. And there's a good chance that the Chief Risk Officer will report directly into the CEO - certainly a greater chance than of the CISO reporting that way. Similarly, why not contemplate the potential for a path to COO if you're operations-focused, or even CTO if you are technical. After all, a security techie is likely to have a decent level of knowledge about networks, servers and other infrastructure.
And what about the big job: CEO? There is much discussion about where the CISO should report into, but seldom about whether the CISO can ever become the CEO. And quite frankly, there's absolutely no reason he or she shouldn't be able to. Yes, a lot of CEOs are accountants, and/or hold MBAs, but much of what counts is down to experience, attitude, demeanour and communication.
As for qualifications for the CEO position? Well, if we look at non-tech businesses, we have the likes of Jes Staley (CEO, Barclays) with a degree in Economics. Then you have the likes of Simon Roberts (Sainsbury's CEO) who started work at 16 and worked his way up via M&S and Boots. And if you look at the really big companies - which are all tech giants - those with security backgrounds (particularly techies, actually) won't feel out of place. Eric Schmidt (CEO of Novell and Google in his time) has a degree in Engineering. Satya Nadella (Microsoft CEO) has a first degree in Electrical Engineering and a Master's in Computer Science - though he did add an MBA to both of the above. As did Tim Cook (Apple), who first gained a degree in Industrial Engineering.
So yes, there's absolutely no reason that, as a cyber security professional you can't aspire to - and achieve - an upward career path that takes you right to the top. You might just need to be a little inventive with the path you take on the way there.