You have been in the security industry for a couple of years and are looking for a way to propel your career to the next level. You saw the Associate C|CISO certification, and it sounded good. You went for it, and you obtained that certification. Excellent!

One question remains: What are the following steps to advancing your career and reaching your goal of becoming a security executive?

By earning EC-Council’s Associate C|CISO certification, you have been given a great view into your current experience versus the professional qualifications required of a CISO. When you went through the Body of Knowledge domains, you could see what you were familiar with and what areas you needed to focus on to gain experience and become a leader in the security industry.

How Do I Get That Experience?

You can broaden your security industry knowledge by shifting through different job titles or getting additional program-level exposure through cross-training within your current organization. Some security professionals change companies to gain experience to elevate their careers. Regardless of your approach, the CISO position requires fundamental knowledge of security programs and business so that you can know how specific functions work.

Generally, IT security programs focus on delivering four primary services:

• Compliance Management
• Risk Management
• Security Operations
• Architecture

Some companies outsource one or more of these services to third parties, the most common being security operations via a managed security services provider. There are always nuances and differences between security program implementations because each is tailored to meet the needs of the organization and its supporting business functions. These four capabilities are core to every security portfolio, but variations are common. For example, a company with large personal or financial data repositories might include a data protection function within the security program.

To be a security leader, you should strive to gain experience and knowledge within the four standard functions of a security program.

• Compliance Management

  This function is usually semi-technical and is the most straightforward of all the functions. You track security controls and implementations against standards and requirements (regulatory and non-regulatory). You need to understand how technical and non-technical controls satisfy protection needs within the organization. Another primary compliance function is to provide customer and vendor compliance tracking. This involves managing questionnaires regarding security capabilities and supports controls you apply for customers or regarding companies you rely on to protect your systems and data.

• Risk Management

  This semi-technical program involves assessing, communicating, and managing risk. The basis of the program is the risk assessment process, which can be applied to something as granular as an application interface or vendor product or to a task as large as assessing security controls deployed within business units. The risk management program provides the primary method of communicating risk in terms the business understands. The risk management program explains the need for security to the organization to employees, senior leadership, and the board of directors. The risk function is critical to the security program because it guides business investment and spending decisions for resources used to manage risk to an acceptable level.

• Security Operations

  SecOps is typically more of a technical function, providing services such as monitoring for threats, responding to incidents, and finding vulnerabilities using security tools deployed throughout the IT architecture. This group also provides threat hunting and threat/vulnerability management. SecOps is typically an organization’s first line of defense, providing 24/7 monitoring, alerting, and response capabilities.

• Security Architects

  This group consists of security engineers responsible for providing guidance and implementation for an organization’s overall technical security tools. They work closely with business units and the IT function to design, install, and help maintain security solutions that provide integrated and orchestrated technical security capabilities. Architects and engineers usually design systems with the concept of defense-in-depth, providing multi-tiered protections that increase according to the criticality of the IT infrastructure.

Getting experience in these four primary functions will provide you with an excellent foundational knowledge of security functions within the program. As you get comfortable with these “big pieces,” you should seek positions or opportunities that allow you to participate in the governance of the security program. Governance involves the business side of security, such as managing budgets, determining human resource requirements, monitoring security technology licenses, or building a long-term roadmap for a security program’s direction. As you progress through management positions, you will probably be exposed to this aspect of the security program. Leaning in to help with the business side of security will provide excellent opportunities to broaden your knowledge and experience as you progress toward an executive leadership role.

There is one other path you can take that differs from the above. Working for a significant global security and privacy consulting organization that provides a wide range of services can provide rapid, broad, and deep security program knowledge while enabling rapid personal and professional growth. Be warned that there is typically a lot of travel and rapid learning while you are en route to becoming the expert on the ground. Some find it difficult or painful, but the fast-paced, high-demand (and at times somewhat scary) business situations create the best opportunities for experience. Consulting isn’t for everyone, but this field of the security profession can deliver more significant potential for exposure to a wide range of technologies, cultures, business models, industries—and pressure to deliver solutions.

Regardless of your path, be a little cautious about ‘job hopping.’ Changing companies too frequently can look bad on a resume. Recruiters typically look at rapid changes from two perspectives. The first is “fit.” Maybe you did not work well within the structure or culture of the organization, or you did not fulfill their needs. Whether you left voluntarily or involuntarily, recruiters tend to think it was the latter. You can’t blame them: they are trying to make professionally sound decisions for the organization.

The second reason for potentially harmful optics on frequent job changes is sustainability. Are you in it to deliver value to the organization or just passing through on your way to another opportunity? Recruitment efforts cost time and money and usually incur a sizeable organizational investment. Companies like to spend their precious recruitment resources on stable, well-qualified candidates that will be with them for a while. The higher potential for a recruit’s staying power in a job means a distribution of recruitment spending over a longer time, which in turn provides higher value to the organization.

My advice is to spend a couple of years minimum in a job. You can usually gain experience within multiple C|CISO domains simultaneously, depending on the job responsibilities and your exposure to other security functions. Your goal is to be a security executive. Use your time wisely and gain as much industry knowledge as possible.

Associate C|CISO to C|CISO and Security Leadership

As an Associate C|CISO, your next logical step is to gain professional experience as outlined above. Analyze the C|CISO Body of Knowledge and other program materials available to you to determine the types of positions that will get you comfortable with all aspects of your goal: that of a security executive role. Create a career roadmap and start that professional journey toward being an industry leader. Do not leave the implementation of your plans to chance—actively pursue your dream.

As an Associate C|CISO, how do you obtain the C|CISO certification? Once you have the requisite experience, you will complete an application form detailing your experience. Once it is validated, you will be allowed to take the C|CISO exam, and upon passing it, you will be awarded the title of C|CISO. This certification demonstrates your depth of knowledge and experience and your professional commitment to the security profession. It says you are ready for the challenge of being a security executive and industry leader.

Get that critical experience. Then apply for EC-Council’s Certified CISO Program.