Are you a CISO who doesn’t know jack? Here’s how to bridge your own skills gap

In 2023, six years into his job as a CISO, Rob Labbé realized he didn’t know jack. Did he understand the technical aspects of cybersecurity? Of course. He had a college degree in computer programming analysis, CISSP certification, and two decades of experience working in cyber. Yet Labbé had the sinking feeling there was a gaping hole in his knowledge base.

“I was really confident that I knew my shit on the cybersecurity side,” says Labbé, the Calgary-based CEO and CISO-in-residence of the Mining and Metals Information Sharing Analysis Center (ISAC) in Vancouver, British Columbia. “But the realization came a year ago when I was sitting in these meetings: I’m only picking up 20% of the discussion. And why aren’t I invited back all the time?”

As a CISO, Labbé had snagged a coveted seat at the C-suite table. Once he got there, however, he felt like he couldn’t fully speak the language of corporate business. He suspected this was limiting the value of his contributions around that table. While other ISAC executives welcomed Labbé’s input, “my opinion wasn’t grounded in an understanding of how businesses actually make strategic decisions,” he recalls.

Labbé’s aha moment demonstrates just how critical business skills have become for today’s CISO.

“They’ve always been important, but the prominence of them has definitely grown over the last few years,” says Jon France, CISO of ISC2. This laser focus on business acumen, he says, is fueled by the digital transformation of every industry, plus a tide of regulatory changes pushing legal and compliance issues to the forefront.

Although corporate know-how has become more critical to the CISO’s job, “76% of CISOs come from a mostly technical background” such as IT, IT infrastructure, A&E or network security, according to the “Ians/Artico 2023-2024 State of the CISO Report”.

How can the 76% (including Labbé) fill the gaps in their business knowledge? And how can the remaining 24% of CISOs — those who came into the role from non-tech backgrounds such as the military, law enforcement, compliance, or risk management — fill key gaps in their technical knowledge? Upskilling isn’t just for cyber workers, it’s for CISOs themselves.

How CISOs can gain business skills

Once Labbé’s dearth of business knowledge dawned on him, he decided to pursue an MBA. Now just six months into the 18-month program, Labbé says studying business strategy, communication, finance, and conflict resolution is already helping him on the job as a CISO.

“I’m rewriting [security] policies now, based on my new understanding of organizational behavior. People are actually following them now, as opposed to before. And when I’m talking to a vendor, I understand their financial drivers, so I can come up with a better contract because I understand both sides better.”

A newer type of MBA, with a special focus on cybersecurity, has become popular enough for the site CyberSecurityGuide.org to compile a list ranking its top 25.

Of course, an MBA isn’t the only way for CISOs to bolster their business cred. Two divisions of Carnegie Mellon University — Heinz College and the Software Engineering Institute (SEI) — jointly offer an intensive six-month CISO Certificate Program. Aimed at both current and aspiring CISOs, the hybrid online/in-person program requires “at least seven years of relevant experience managing projects and/or people” for admission, according to its landing page.

The program puts a heavy emphasis on business course content such as corporate structure, governance, regulatory environments and budgeting. For example, students “actually create a [simulated] budget proposal from the perspective of a company that has gone through a significant cyber event and is looking to re-posture itself,” says Greg Touhill, director of the CERT program at the SEI.

Read a book, gain business acumen

Reading books is another option for busy CISOs trying to fit business learning into their jam-packed schedules, says Matthew Sharp, CISO of Denver-based Xactly. Sharp actually wrote one: in “The CISO Evolution,” Sharp and his co-author Kyriakos Lambros dedicate chapters to corporate topics such as financial principles, value creation and leading high-performing teams.

“We hoped our book could take MBA-oriented concepts, narrow the number of things you need to focus on, then tailor that to cybersecurity leaders so they would get the core concepts without having to invest a hundred grand and three years in an MBA,” says Sharp, a computer and electrical engineering grad (class of 2004) who got an MBA in 2016 to boost his own his business smarts.

ISC2’s France says another avenue to business learning (which he calls “the experiential route”) is literally staring CISOs in the face. “If you’re a technical cybersecurity person in leadership, spend time with your peer group, with the CFO, COO and CEO. If you can, go and experience some of the decision-making processes.”

Two other tools for tech-oriented CISOs looking to polish their business chops are leadership training courses and one-on-one executive coaching. According to the Ians/Artico report, two-thirds of CISOs have either completed or are currently undertaking one or both of those “to build business acumen and executive presence skills.”

The study suggests it pays to brush up on business skills: CISOs with leadership training and/or executive coaching under their belts make an average salary of $550,000 per year vs. $419,000 for those without.

CISOs with technical skills gaps

What about upskilling for CISOs from non-technical backgrounds? The Ians/Artico report shows they now make up more than a quarter of the CISO community: 22% of all CISOs come from a governance, risk and compliance (GRC) background; the remaining 2% hail from neither technical nor GRC pathways.

“There are folks from law enforcement who go into the CISO track as well. We get folks from the business track. We get lawyers who come and take our courses,” says Touhill of Carnegie Mellon’s CISO Certificate Program.

While that program predominantly focuses on business skills for cybersecurity leadership, it also includes subjects such as data science, architecture, tooling, cloud security and network defense for CISOs from non-technical backgrounds.

Aside from a six-month program like this, how else can CISOs with non-tech backgrounds gain the technical understanding they need to craft cybersecurity strategies and lead cyber teams?

Hadas Cassorla, the virtual CISO of Virginia-based Scale Security Group, faced a similar challenge after taking a non-linear route to the CISO role. Though she started out in tech as a US Army systems administrator, she left IT to get a law degree and then worked as a corporate lawyer for two years. After realizing she, in her words, “really hated practicing law,” Cassorla returned to IT jobs before landing the role of Security Program Manager at an Oregon state government agency in 2013.

Leaning on smart colleagues and employees can be an education

Cassorla says she “accidentally fell into” that security role due to her unique background in IT, business, law and compliance. In 2021 she went on to become CISO of M1 Finance. Although she got the CIPP designation in 2013 and the CISSP in 2015, she says there are additional ways for CISOs from non-tech career paths to fill gaps in their technical knowledge.

“I do think training and certifications are an avenue, but they’re not the end-all-be-all. It would be impossible to be an expert in every single one of the CISSP domains,” she says. Besides pursuing self-education, Cassorla advises CISOs from non-technical career paths to harness the power of strategic recruiting and delegation.

“Hiring people smarter than you is super important. Don’t be afraid to raise your hand and ask the stupid questions. The more you lean in on the expertise of your people, the more autonomous they feel. And the more respect you’re going to gain from them because nobody knows everything.”

Is tech upskilling ever enough for CISOs from non-tech backgrounds? The heated issue boiled over two years ago when Reddit hosted an AMA with nine female CISOs, including Cassorla. The CISOs fielded a couple of pointed questions like, “[What are] your thoughts on people becoming CISO with 0 tech background – you know, the MBA types?”

Reflecting back on the AMA now, Cassorla says: “I am a technologist. That’s not my primary role anymore. My primary role is not to do hands-on keyboard work.”

Labbé boils it down to the idea that while technical skills can land someone to the CISO’s chair, the job is now more about business strategy and executive leadership. “The CFO [for example], isn’t just a really good accountant. They’re not there because they do arithmetic better than everybody else or write a balance sheet faster than the next person. That’s not why they’re there.”

France concludes that upskilling should be an ongoing priority for every CISO, whether they come from the technical stream or the corporate ranks: “It’s not a one-shot deal. It’s a lifelong pursuit.”

CISO upskilling resources

• ISC2 offers technical cybersecurity certifications, CISO Leadership Certificates and executive leadership courses.
• SANS Institute offers various types of certification, training and education programs in both executive leadership and technical domains.
• EC-Council offers bachelor’s and master’s degrees in cybersecurity as well as numerous certification and training options.
• National Association of Corporate Directors provides several resources for CISOs wishing to boost their knowledge of core business principles and issues.

Upskilling tips for CISOs from the experts

Choose mentors strategically: instead of someone in your existing business or technical domain, look beyond your comfort zone for someone who’s advanced to the top echelon of the opposite domain you aspire to learn about. – Matthew Sharp

Focus on AI and cloud: CISOs coming from a business pathway should concentrate their immediate technical learning efforts on these two key, pressing technologies. – Sharp

Seek writing and speaking opportunities: for tech-oriented CISOs in particular, podcasting, writing blogs, and speaking at events can help them polish business skills like written and oral communication. – Greg Touhill

Join advisory boards of other companies: these are a great place for CISOs from technical backgrounds to learn the fundamentals of corporate business. – Sharp

Stay curious: don’t wait for a formal degree program or certification to be created in the newest tech trends; learn about them yourself by reading books and articles, listening to podcasts and webinars, and attending industry events. – Sharp