Chief information security officers (CISOs) stand atop the cybersecurity career ladder. Only the most educated and experienced professionals reach this level of the field to oversee large cybersecurity teams, systems, and operations.
According to the Federal Bureau of Investigations, cybercrime losses approached $7 billion in 2021 alone. Cyberattacks can ruin organizations and lives as the attackers become more intelligent and better equipped. Companies need security specialists who can develop, manage, and adapt their security infrastructure and strategy.
While becoming a chief information security officer can be a long and arduous process, these professionals enjoy the many perks of an executive occupation. Here, we examine the role in detail, along with the necessary steps to get there.
What Is a Chief Information Security Officer?
The CISO role varies by organization and industry. These professionals oversee information security architecture and operations. They aim to protect their organization's assets while supporting technological endeavors. CISOs implement security technologies to identify vulnerabilities and develop strategies to overcome them.
Depending on the organization, CISOs may lead cybersecurity teams and collaborate with the chief information officer (CIO), chief technology officer (CTO), or chief security officer. CISOs also provide regular input on security risks and the implications of all digital business decisions to chief executive officers (CEOs) and other stakeholders.
Education Requirements for CISOs
Education requirements for CISOs depend on the specific role and size of the organization, but these professionals typically have bachelor's degrees at minimum. Four-year degrees in information security, computer science, or other related fields provide students with foundational cybersecurity skills and knowledge. These programs also allow graduates to pursue entry-level information systems and security positions.
Cybersecurity professionals can enhance their qualifications with industry certifications and graduate degrees, along with completing cybersecurity bootcamps. In addition to the advanced and specialized cybersecurity studies, a two-year master's program provides valuable leadership training. Advanced degrees may also help graduates qualify for certifications, earn higher wages, and reduce the experience requirements for CISO positions.
Many organizations seek professionals who value learning and improving their credentials. Individuals who regularly update their skills with continuing education and relevant certifications should have better employment chances.
Explore Your Degree Options
- Bachelor's in Cybersecurity Programs
- Online Bachelor's in Cybersecurity Programs
- Master's in Cybersecurity Programs
- Online Master's in Cybersecurity Programs
- Doctorates in Cybersecurity
- Degrees in Information Systems Security
- Degrees in Computer Science
- Cybersecurity Bootcamps
Experience Requirements for CISOs
CISOs need extensive cybersecurity and leadership experience for employment in most organizations. The requirements can vary depending on the size of the organization and the position's responsibilities, but they often exceed 7-10 years. To qualify for professional certifications in this field, candidates usually need more than five years of experience.
For some employers and positions, professionals with advanced degrees may not need as much experience. Internships and practical training opportunities in graduate degree programs and bootcamps may substitute for professional experience, in some cases.
Internship Opportunities
Many cybersecurity programs at the undergraduate and graduate levels include internships. Along with practical training, internships provide mentorship and networking opportunities. The following list includes some popular examples.
- NSA Cybersecurity Programs: The National Security Agency hosts summer internships, including Centers of Academic Excellence-Cyber Ops, cyber missions, and cybersecurity directorate programs. These 12-week internships provide salaries based on education level.
- IBM Internships: IBM hosts several paid internship opportunities each year for cybersecurity students, including penetration testing and cybersecurity consultant positions. Most internships run through the summer.
- CISA Cyber and IT Internships: The Cybersecurity and Infrastructure Security Agency features internship programs for active students and recent graduates. Participants typically work on paid mission-focused projects throughout the summer.
Certifications for Chief Information Security Officers
Certifications for CISOs demonstrate a professional's grasp of cybersecurity principles and management experience. While there are no mandatory certifications for CISOs, some employers prefer certain credentials. Certifications may require regular renewals, which include continuing education credits.
CISOs may have no certifications, only one, or accumulate several over time. The following credentials highlight some popular options for CISOs at various stages of their careers.
Becoming a Chief Information Security Officer
An individual can take many paths to become a CISO, but most positions require a bachelor's degree and significant professional experience. Larger organizations, which may feature more job responsibilities, typically apply stricter requirements.
Aspiring CISOs can pursue bachelor's-level computer science or cybersecurity degrees. Other cybersecurity-related degrees also apply, including information assurance, computer engineering, and computer forensics.
Many employers require about 10 years of relevant security and leadership experience. A CISO may need a graduate degree and professional certifications that demonstrate their specialized expertise for some jobs. Employers might also expect experienced professionals to have up-to-date knowledge from continuing education.
How to Become a CISO in Five Steps
Small to Mid-Size Organization CISO
- Acquire a bachelor's degree: A CISO typically needs a bachelor's degree in an IT field like computer science. Cybersecurity degrees or specializations may provide a more direct path to entry-level careers in security.
- Complete an internship: Many undergraduate programs feature internships in their third or fourth years. Participants receive on-the-job training in relevant fields and mentorship from experienced professionals. Internships can also lead to connections for potential entry-level employment after graduation.
- Gain entry-level experience: Entry-level jobs in information systems provide the foundational experience needed for all mid-level IT jobs. Possible positions may include systems administration, IT technician, and systems support specialist.
- Develop cybersecurity experience: Cybersecurity positions allow professionals to learn industry-standard security practices and guidelines. Workers can gain experience in managing and developing security systems. Useful positions may include cybersecurity specialist or analyst.
- Obtain management experience: Experienced cybersecurity professionals can apply their expertise to management positions within smaller organizations. Depending on their level of cybersecurity education, skills, and experience, they may be able to jump right into CISO roles and bypass lower management positions.
Large Organization CISO
- Acquire a bachelor's degree.
- Complete an internship.
- Gain entry-level experience: This step may come after a master's degree or be skipped entirely, in some cases.
- Complete a master's degree: Many two-year master's programs offer cybersecurity-related specializations, including cyberoperations, computer forensics, or cyberintelligence. Master's programs also provide leadership training and internships. They may also help qualify graduates for industry certifications.
- Develop cybersecurity experience.
- Obtain management experience.
- Pursue professional certifications: Many large organizations prefer CISOs who hold relevant professional certifications, such as the CCISO, CISSP, or CISSM. These credentials demonstrate that the holder has sufficient experience, education, and knowledge to oversee a large organization's cybersecurity needs.
Should You Become a Chief Information Security Officer?
Every individual needs to answer this question for themselves, but CISOs enjoy many professional benefits. Their work directly helps organizations protect their assets and safeguards the privacy and personal information of staff and consumers. As cyberthreats continue to grow, CISOs become more important and valuable.
According to the Bureau of Labor Statistics (BLS), the median annual salary for chief executives was $179,520 in May 2021. While many organizations look to reduce their number of chief executives, the considerable growth in the cybersecurity field should offset losses and make for a promising job outlook for CISOs.
While most professionals reach their peak at the CISO position, some may advance into CIO or CEO roles. To become a chief information security officer, however, professionals need to invest significant time, money, and effort. Acquiring the proper education and credentials can take many years, and professionals may need more than a decade of relevant experience.
The Job Hunt
To become a CISO, professionals may advance through the ranks with one company or come from outside the organization. In both cases, aspiring CISOs with strong professional networks have the best chances of success. Candidates may probe their networks for open positions, look through social media, or join professional organizations.
Other options include job fairs, industry conferences, and mentor recommendations. The following job boards may also connect prospective CISOs with available positions.
Professional Spotlight: Steve Tcherchian, CISO
What prompted your journey to become a chief information security officer?
I've never been afraid of technology. I was curious and enjoyed taking risks.
I was the kid who would break things just to see how they worked before attempting to put them back together. I wasn't always successful, and I occasionally got in trouble for it.
I got my first computer when I was about nine years old. It's a Packard Bell 286. I was constantly tinkering with it. I'd take it apart and see if I could reassemble it.
I began writing computer programs at a young age. I used to spend my afternoons and evenings learning, sharing my creations, and meeting other people who shared my interests on IRC, AOL, and Usenet groups.
This broadened my perspective on what was possible, both good and bad. I started joining "groups." As the internet became more accessible, we would have more fun online. We were annoying and occasionally disruptive, but we didn't harm anyone. It wasn't on the scale of today's social engineering. We were just a bunch of kids who had no idea what we were doing.
Some of my friends actively pursued that type of lifestyle as we grew older and learned more, and they began to attract attention — legal attention. I witnessed some of my friends get into mischief. I needed to figure out where I was going with this.
I remember talking with a family member who was a deputy sheriff. "You already believe that the best criminals can make the best cops," he said. That statement stuck with me, and I saw it as a watershed moment in my career.
I was familiar with the majority of the tactics and strategies for preventing hackers. He's right; I knew how cybercriminals thought. Following that discussion, I made the deliberate decision to educate and assist rather than harm and disrupt. There are no regrets in my life.
If you work in a particular industry, what prompted this choice and/or how did it evolve?
This is one of the reasons I enjoy my job so much. I get to work in a variety of industries. Because our customers drive the global economy, I have become intimately acquainted with every industry they operate in, including financial services, telecommunications, retail, supply chain, and services, among others. No other job has provided me with the breadth of experience across industry verticals that this one has.
What educational path did you take to become a CISO?
Again, this isn't advice for everyone, but it worked for me. No amount of formal education could ever replace real-world experience, hard work, and living a life. Education is obviously important, but it is not what separates the good from the great. Learning from books must be supplemented.
I founded my own cybersecurity firm early in my career and quickly became successful with clients all over the world. Unfortunately, my success meant that I didn't have much extra time for school. But what I missed out on in school, I made up for with experience. However, I saw formal education as necessary at the time and was able to carve out time to formalize my experience through education. I discovered one thing about myself: I hate math. And it's not easy to do with a degree in computer science.
Did you have to pass any certifications or tests to enter the field or progress in your career? What were they like?
I was always eager to learn more, so I gathered as much reading material and lab equipment as I could and went to town. This helped lay the groundwork for me to formalize my experience with certifications.
Without taking a crash course or paying thousands of dollars for a bootcamp that helps you memorize answers, I passed the Security+, CCNA, PCI-ISA, PCI-P, and CISSP exams on my first try. The tests were difficult and well-planned. I doubt I would have passed these tests if I hadn't had the foundational hands-on experience provided by my job. I'm already hard at work on the next set.
What advice do you have for individuals considering becoming a chief information security officer?
Force yourself into uncomfortable situations. Learn from it. Be flexible. Study the examples of others (good and bad). Listen. You'll get opportunities if you work hard and put in the extra effort. Don't pass up these opportunities. Say yes to everything when you're young and figure it out. It doesn't matter if they don't all work; learning how to make better decisions in the future is part of the process. Request assistance and demonstrate your abilities.
Above all, don't let your ego or pride get in the way. It is not a race to the mountain's summit. Surround yourself with people who inspire you and who you admire. Success will come to those who work for it, not those who believe they deserve it.
And don't get caught up in social media. Because of these apps, we are constantly comparing our lives and developing unreasonable standards. You look at a wealthy CEO and wonder, "Why can't my life be like that?" We only get to see the highlights. On social media, people share their best moments.
We don't see the struggle, the failures, the late nights, the time away from home, the time and effort put in for no reward. This creates feelings of unfairness and envy. We believe that the only solution is to outrun the next person. The desire for instant gratification can be addictive, and there never seems to be a good time to get off the hamster wheel. I've discovered that most long-term success is rarely achieved alone. For an idea to thrive, it requires the support and innovation found in teamwork.
"If you want to run fast, run alone," says an old African proverb. "Run together if you want to go far."
When I first started out, I thought I could handle everything on my own. My early achievements fueled my ego. I planned to conquer the world by myself, and if others couldn't keep up, they were in my way. Those early big wins quickly turned into long hours, burnout, and a feeling of being unsatisfied and empty. What should I do next?
Fortunately, I realized that once something was begun, the work, knowledge, and successes could and should be shared. Reaching a goal together, sharing high fives with my team, and seeing that we can accomplish something far greater collectively than I could on my own gave me a sense of fulfillment in my work that I had never felt before. You cannot succeed as a CISO solely on your own.
You must learn to be a team player and to lead. The best advice I can give is to slow down, gather your team around you, and let them own a piece of the struggle (and the success), and you'll see results that far outweigh anything you could achieve on your own.
What do you wish you'd known before becoming a chief information security officer? (Any high and low points worth mentioning?)
I'm not sure I would change anything. Low points are the best teachers. If I had gone in with a certain understanding or high points, I'm sure my ego would have gotten the better of me. I think everything is working out exactly the way it should.
Steve Tcherchian is CISO and Chief Product Officer at XYPRO, a leading cybersecurity solutions company based in Simi Valley, California. He is on the ISSA CISO Advisory Board, the NonStop Under 40 executive board, and the ANSI X9 Security Standards Committee.
Tcherchian is a regular contributor to and presenter at the EC-Council. With more than 20 years in the cybersecurity field, Steve is responsible for the strategy, innovation, and development of XYPRO's security product line, as well as overseeing XYPRO's risk, compliance, and security. He works closely with XYPRO's HR department to ensure that it, too, remains cybersafe. Steve is often quoted in major media on cybersecurity issues and events.
More Resources for Future Chief Information Security Officers
FAQ About How to Be a Chief Information Security Officer
-
How long does it take to become a chief information security officer?
Every path is different, but it can take about 10-15 or more years to become a chief information security officer after high school. Many professionals have a four-year bachelor's degree, a two-year master's degree, and more than 10 years of professional experience.
-
What is needed to become a CISO?
While a bachelor's degree satisfies the minimum education requirements for a CISO, many professionals have a master's degree and several IT or cybersecurity certifications. Most CISOs also possess about 7-10 years of experience.
-
Which degree is best for becoming a chief information security officer?
At the bachelor's level, the best degree for aspiring CISOs is a bachelor's in cybersecurity or a cybersecurity specialization in a computer science program. However, a master's degree in a cybersecurity discipline is likely the best degree overall.
-
Can you be a CISO without a degree?
While some professionals with extensive experience may acquire the CISO title without a degree, it is very rare. For those starting out now, earning a degree should be the first step into the profession.
Reviewed by: Monali Mirel Chuatico
In 2019, Monali Mirel Chuatico graduated with her bachelor's in computer science, which gave her the foundation that she needed to excel in roles such as a data engineer, front-end developer, UX designer, and computer science instructor.
Monali is currently a data engineer at Mission Lane. As a data analytics captain at a nonprofit called COOP Careers, Monali helps new grads and young professionals overcome underemployment by teaching them data analytics tools and mentoring them on their professional development journey.
Monali is passionate about implementing creative solutions, building community, advocating for mental health, empowering women, and educating youth. Monali's goal is to gain more experience in her field, expand her skill set, and do meaningful work that will positively impact the world.
Monali Mirel Chuatico is a paid member of the Red Ventures Education Integrity Network.
Page last reviewed Oct 4, 2022
Recommended Reading
Take the next step toward your future.
Discover programs you’re interested in and take charge of your education.