The Aspiring CIO and CISO: A career guide to developing leadership skills, knowledge, experience, and behavior

The Aspiring CIO and CISO

Copyright © 2024 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Dhruv Jagdish Kataria

Publishing Product Manager: Dhruv Jagdish Kataria

Book Project Manager: Ashwini C

Senior Editor: Apramit Bhattacharya

Technical Editor: Arjun Varma

Copy Editor: Safis Editing

Proofreader: Apramit Bhattacharya

Indexer: Hemangini Bari

Production Designer: Vijay Kamble

DevRel Marketing Coordinator: Marylou De Mello

First published: June 2024

Production reference: 1200624

Published by Packt Publishing Ltd.

Grosvenor House

11 St Paul’s Square

Birmingham

B3 1RB, UK

ISBN 978-1-83546-919-4

www.packtpub.com

This book is inspired by My wife Anna, the love of my life, my best friend, and the best teacher that I have ever had. My family - You will never know how proud I am of what incredible adults you have grown up to be. To my grandkids, Azalea (Azzy) and Harrison (Harry), who are the apples of my eye and whom I love dearly. Finally, of course, my parents David and Cindy, who have long passed this world, but whose positive role modeling I try to live up to everyday. (I’ve been a very blessed person.)

Foreword

For many IT professionals, the roles of Chief Information Officer (CIO) and Chief Information Security Officer (CISO) represent the pinnacle of their careers. The roles are challenging and demanding, and they offer the incumbents the opportunity to have a significant impact on the success of an organization. But how do you get there? What skills and experience do you need? How do you develop yourself to become a strong candidate for these coveted positions?

In this book, The Aspiring CIO and CISO, David shares his insights and experiences to help you navigate the path to becoming a CIO or CISO. David guides you through the critical aspects you need to consider.

My own career has been a wonderful journey of learning across different roles and companies. I didn’t have any such reference that I could rely on and had to learn by myself. The book specifically talks about building a career as a CIO and CISO, and I would support that having this ability to pivot across both domains is a real career advantage.

This book is not just about getting that dream job; it’s about building a fulfilling and successful career in IT leadership. Whether you’re just starting out or looking to take your career to the next level, The Aspiring CIO and CISO provides the roadmap you need to achieve your goals.

I encourage you to take this journey and turn your aspirations into reality.

Darryl West

Former Global Group CIO, HSBC

Contributors

About the author

David J. Gee is a husband, father, and grandfather who just happens to have had the privilege of spending more than 25 years as a business leader in the roles of CIO, CISO, and technology, cyber, and data risk executive.

David has an eclectic background as a transformation change agent who has lived across five countries and worked in different industries, including banking, insurance, pharmaceuticals, building products, and media.

He won the Australia CIO of the Year in 2014 for a successful core, mobile, and online banking tranformation and the Global Leaders Award from FS ISAC in 2023 for his contributions to cybersecurity in financial services.

David has reinvented himself throughout his career and is now transforming into a non-executive director and board advisor. He is an avid writer and has published a few hundred articles for CIO, Computerworld, CSO (cyber), and ITnews. His articles have been translated into multiple languages.

As a venture capital partner, David has enjoyed connecting fintech firms with enterprises and helping these start-ups scale and grow.

About the reviewers

Sibylla Muecke is passionate about unlocking value for businesses through better decision-making. She is a lawyer with certifications in information management and leads initiatives in financial services across data, records and risk management, and regulatory policy and compliance.

Sibylla has received recognition and innovation awards throughout her domestic and international experience for contributions to business efficiency and building organizational capability.

Lily Couper is an emerging technology professional, currently specializing in technology, cyber, and data risk at Macquarie Group.

Lily is at the early stage of her career and pondering over longer-term career options, hence she has a strong personal interest in the subject matter of this book. She has a bachelor's degree in history as well as a bachelor of engineering degree with first-class honors from the University of Sydney.

Table of Contents

Preface

Part 1: Your Journey to Becoming a CIO or CISO

1

Starting the Journey to Become a CIO or CISO

Understanding the CIO and CISO roles

The role of the CIO

The role of the CISO

Introducing the CIO career path

Introducing the CISO career path

What is your current brand?

To be a CISO or CIO, what do you need to change?

Summary

2

How to Develop Yourself to Be a CIO or CISO

Building your development plan – The SKEB model

Soft skills are hard – Why do they matter?

Understanding the gaps in your soft skills

Summary

3

Executing Your Career Path to Becoming a CIO or CISO

Developing your objectives

Building a plan to make you grow and be uncomfortable

Paths to becoming a CIO or CISO

Thinking two jobs ahead

Introducing an algorithm to accelerate your own growth

Exploring career approaches to progress

Reviewing the CIO and CISO interview process

The external CIO/CISO role

The internal CIO and CISO role

Selection as the preferred candidate

Summary

4

CIO and CISO Interview Tips

Prework and orientation

The interview

CIO questions that you may be asked

CIO interview questions for you to ask

CISO questions that you may be asked

CISO interview questions for you to ask

Summary

Part 2: What to Do in the First 90 Days

5

CIO – The First 90 Days

Understanding the need for a 90-day plan

A brief overview of my first CIO 90-day plan

Exploring People in the 90-day plan

What does success look like?

Understanding key players

Creating your brand

Engaging your peers and staff

Assessing and building a team

Exploring Process in the 90-day plan

Understanding how IT engages a business

Establishing personal key metrics

Accelerating business learning

Exploring Technology in the 90-day plan

Reviewing the IT strategy and strategic projects

Fixing critical hygiene issues

Understanding Ops and Security

Sending the right message

Building your plan for the first 90 days

Asking yourself the hard question

What are the show stoppers?

Rinse and repeat

Summary

6

CISO – The First 90 Days

A brief overview of my CISO plan for the first 90 days

Exploring People in the 90-day plan

What does success look like?

Understanding key players

Assessing the cyber team

Building your future team

Exploring Process in the 90-day plan

Understanding how Cyber engages the business

Establishing risk metrics

Accelerating business learning

Understanding cyber governance

Exploring Technology in the 90-day plan

Reviewing the cyber strategy and roadmap

Understanding the security baseline

Understanding security operations

Understanding the regulatory book of work

Building your plan for the first 90 days

Summary

Part 3: Being the CIO or CISO

7

Moments of Truth (When You Accelerate Your Growth)

Building a team

Building a partnership to deliver

Handling a critical hygiene issue

Dealing with aftershocks

Having a sense of duty as opposed to loyalty

Dealing with your first cyber attack

Building a risk culture

Being totally honest

Getting the CISO and CIO aligned

Summary

8

Understanding the Pressures CIOs and CISOs Face

The weight of being a leader

Exploring a day in the life of a CIO

A day in the life of a CIO

The stress felt by different CIOs

Exploring a day in the life of a CISO

A day in the life of a CISO

Stress felt by different CISOs

How the CIO and CISO manage stress

Summary

9

CIO and CISO Survival Skills

Exploring Maslow’s theory in the context of CIOs and CISOs

Building a strong foundation

Making the right career choices for yourself

Recalibrating your stakeholder analysis

Cultivating skills to ensure longevity

Building strategic alliances

Finding a mentor

Effectively managing political situations

Maintaining continuous growth

Summary

Part 4: What’s Next in Your Career?

10

Looking for the Next Elevator

Why look for the elevator?

Choosing the next elevator

The transit lounge

Leveling up to build your career portfolio

Holding the door open for your successor

Summary

11

Risk Management as a Career Option

Why Risk Management is a viable option

Why might you want to cross over?

Risk Management as coaching

Finding your way to become a coach

Summary

12

What CIOs and CISOs Do in Retirement

Looking at retirement as a new beginning

Figuring out how old you should be when you retire

Looking at a few post-career moves for CIOs and CISOs

Planning your transition to boards

Planning a transition into board advisory

Climbing a different mountain

Summary

Appendix

Index

Other Books You May Enjoy

Preface

Imagine that you are at the bottom of a mountain and making your way up the path. There is snow at the top of it and, along the way, many pointy rocks to navigate. Your destination is the summit, and there are many approaches that you can take to climb.

This book is intended to be your guide to reaching the summit of your career aspirations. I hope this book inspires the aspiring CIO and CISO to reach their career objectives. You can choose to walk up the mountain or take the gondola lift. The journey on the gondola lift will still have bumps, but you are able to traverse the distance safer and faster.

Being a CIO or CISO is an incredibly rewarding career journey. You will experience much personal growth and learning and face a new challenge to tackle every day. For many of you, that will be the key motivation for taking on this role, not the status, prestige, or rewards that may come from this position. It might be considered a personal test to see how much you can develop yourself.

There are many tricks and traps along the way in the career of a CIO and CISO. How can you prepare yourself for this journey? I recommend that you reflect on where you are and what you need to transform to make this a reality. I used the word transform on purpose as each leader will need to stretch into this new form.

Who this book is for

You are probably reading this as you would like to be a CIO or a CISO. Regardless of what stage you are at in your career – from starting out to being a senior manager – you might feel that there are gaps that you need to address to make this journey.

I’ve titled this book The Aspiring CIO and CISO on purpose as I have taken on both roles during the course of my career. Hence, I would encourage you to evaluate these opportunities equally. Both are worthy ambitions to pursue.

What this book covers

Chapter 1

, Starting the Journey to Become a CIO or CISO, is the starting point of this journey. This chapter helps you to understand your current brand. Your brand is what qualities others associate with you. Your personal brand will dictate whether you are successful in becoming a CIO or CISO. The brand will shape your journey and prescribe what actions you need to take to address any of these perceived gaps. Thus, understanding what to refine and improve is a key factor.

Chapter 2

, How to Develop Yourself to Be a CIO or CISO, explores the Skills, Knowledge, Experience, and Behavior (SKEB) that a CIO and CISO will require. There is a focus on soft skills that the CIO and CISO should aim to possess, and certain specific soft skills for these roles are essential. By the end of the chapter, you will know how to complete your own soft skills gap analysis and set some objectives to progress with these.

Chapter 3

, Executing Your Career Path to Becoming a CIO or CISO, reviews how you can create your career and position objectives for your CV. The concepts of stretch and becoming comfortable with being uncomfortable are explored. We look at how to connect the dots on your career plan and try to think two jobs ahead, to ensure that you understand what SKEB you want to gain for this role to enable you to reach this position. I will introduce the concept of growing others to grow yourself. I also discuss different career path approaches that you may not have contemplated. Finally, we will review the CIO and CISO interview process.

Chapter 4

, CIO and CISO Interview Tips, will delve into interview preparation to land your next CIO and CISO role. I outline the 25 most common questions that a CIO and CISO may be asked. Then I suggest 20 questions, which you should consider choosing two to three from, to ask the interview panel. By the end of the chapter, you will be ready to nail the interview.

Chapter 5

, CIO – The First 90 Days, will show you how to build a plan for starting out as a CIO. I have included a template and described the work required to shape your own plan. There are working examples of how to engage stakeholders, review your IT strategy/roadmap, and engage your new team. I also talk about accelerating your own business learning and the key metrics that send a message to your team and key stakeholders. Then there is a retrospective review to see whether you need to update your 90-day plan for the next cycle. By the end of the chapter, you will be able to develop your own 90-day plan that is tailored to your new role as a CIO.

Chapter 6

, CISO – The First 90 Days, will teach you how to develop your own 90-day plan for a CISO. There is a cyber strategy/roadmap to review and also stakeholders to engage. Once we have understood the stakeholder engagement mapping and plan for the CISO, we will work through an example. The new CISO has to orientate on key risk metrics, and some best practices are noted. There is a review of cyber governance processes, including frameworks to adopt. By the end of the chapter, you will be able to develop your own 90-day plan that is tailored to your new role as a CISO.

Chapter 7

, Moments of Truth (When You Accelerate Your Growth), provides examples of when a CIO and CISO really take on their roles. These are moments that accelerate your learning and gain you respect from your key stakeholders and team. These are moments when you define yourself, and a few scenarios are explored to illustrate how this experience will reinforce positive behaviors.

Chapter 8

, Understand the Pressures CIOs and CISOs Face, talks about the stress and pressure that is faced in a day in the life of the CIO and CISO. There are different types of CIO and CISO, and the stress indicators can vary dramatically based on the natural style that you bring to the table. Then, as a CIO, you have to work effectively with the CISO (and vice versa). Where you are both aligned and not aligned will have to be considered.

Chapter 9

, CIO and CISO Survival Skills, explores Maslow’s theory and how it applies to CIOs and CISOs. With this, detailed stakeholder analysis and approaches can be carried out and provide you with some valuable insights to manage these relationships. There is a discussion around building alliances and when to also look externally for mentors and coaches. Finally, we look at how to avoid workplace politics and ways to navigate certain difficult scenarios.

Chapter 10

, Looking for the Next Elevator, deals with what you should do if you don’t feel the role is a good fit. We will essentially evaluate what the right buttons to press are. There are times when a consulting gig makes sense before you consider returning to another CIO or CISO position. Taking a more holistic bird’s-eye view and reflecting on your career will mean that you consider your life and career decisions closely coupled. Then, when you are ready to leave, we will explore how to efficiently hand over to your successor.

Chapter 11

, Risk Management as a Career Option, is a bonus chapter in which I take you through a career path that you have probably never considered. I explore how your battle scars and SKEB have prepared you perfectly for this alternate career path. The chapter discusses a very different model of risk management than is typical, modeled on being a coach rather than a player, referee, or even spectator. By the end of this chapter, an alternative career door could have been opened.

Chapter 12

, What CIOs and CISOs Do in Retirement, is the final chapter, where you will learn about the mountains you might want to climb next. We will explore some of the motivations you might have and the post-career moves that you can make. Again, given we want to always think two steps ahead, now that you are a CIO and CISO, you need to think about what is next. We will reflect on how to consider this to position yourself better for the future.

To get the most out of this book

As everyone will have a different starting point, you may want to read ahead to specific chapters depending on what is relevant to the position you are in. My guidance is that you start off by reading the first few chapters and then jump ahead to any chapters that are most relevant to you.

You will certainly have questions that you want to try to resolve, so in anticipation of this, I have made a note of 100 questions in the Appendix that you may have that this book can help you to try to answer. As you are working your way through this book, you may find that you want to make note of some additional questions that you would like to be answered. It is also up to you whether you want to satisfy your curiosity and jump to a chapter that answers a specific question, and not necessarily read this book from front to back.

Again, that’s your choice, and your life and career are very much a journey of discovery. Each of us has to take this journey in a manner that works and makes sense.

Here are some key questions to ask yourself, numbered to correspond to the chapter in which they are answered:

Why do I need to build my own brand to be a CIO and CISO?

How do I develop my skills, knowledge, experience, and behavior to be a CIO or CISO?

How do I develop my career path to be a CIO and CISO?

How can I nail the interview for a CIO or CISO role?

How do I write my plan for the first 90 days as a CIO?

How do I write my plan for the first 90 days as a CISO?

How do moments of truth accelerate my growth?

How do I manage the stress that comes with the CIO and CISO roles?

What are the survival skills for a CIO and CISO?

How do I plan for my next CIO or CISO role?

Why should I consider Risk Management as a potential career path?

What do I plan to do in my retirement?

I’m sure that there will be many more questions that arise in your mind as you read this book. Indeed, I’m confident that you will encounter new questions to be addressed, and there are some areas where I won’t be able to provide you with guidance.

Enjoy the journey and see you on the other side as you rise into your new role!

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected]

and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata

and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected]

with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com

.

Share Your Thoughts

Once you’ve read The Aspiring CIO and CISO, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page

for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Download a free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

Scan the QR code or visit the link below

https://packt.link/free-ebook/9781835469194

Submit your proof of purchase

That’s it! We’ll send your free PDF and other benefits to your email directly

Part 1: Your Journey to Becoming a CIO or CISO

In this first part, you will get an overview of the role of the CIO and CISO and will start mapping your own personal journey to this destination. We will cover the development of your brand and your overall gaps across skills, knowledge, experience, and behavior (SKEB). We will talk about how to reflect on your soft skills and go outside of your comfort zone to grow as you prepare for the role. We will explore how helping others develop will help you get ready faster and be successful in a CIO or CISO position. Getting the CIO or CISO role will be challenging, so interview preparation is key. We will look at the questions that might be asked in the interview and then how best to ask probing questions yourself.

This part has the following chapters:

Chapter 1

, Starting the Journey to Become a CIO or CISO

Chapter 2

, How to Develop Yourself to Be a CIO or CISO

Chapter 3

, Executing Your Career Path to Becoming a CIO or CISO

Chapter 4

, CIO and CISO Interview Tips

1

Starting the Journey to Become a CIO or CISO

This book is for leaders who aspire to be a Chief Information Officer (CIO) or Chief Information Security Officer (CISO) and provides practical guidance as to how to build a career as a CISO or CIO. You’ve likely opened this book as you have a desire to achieve one of these senior positions. There are few more challenging and interesting roles than these. I’ve written this book as a guide to a younger version of myself, when I was filled with more questions than answers and some degree of uncertainty about the direction of my career.

The fundamental question that is to be addressed in