Four security leaders share their career journey from CISO to COO, VP, board member and investment advisor, showing the potential paths on offer for CISOs looking ahead. Credit: Gorodenkoff / Shutterstock Few roles have changed as much as the chief information security officer in the nearly 30 years since Steve Katz first held the title at Citicorp in the mid-1990s. As the role has evolved from managing technical controls to business risk, it’s paved the way for CISOs to advance into other positions. Four CISO who have taken different paths share their experiences and advice on moving from CISO to new roles. CISO to COO: Chad McDonald, COO at RadiantLogic Chad McDonald Chad McDonald, who moved from CISO to COO at RadiantLogic, has held several CISO roles as well as customer experience and professional services roles across almost 20 years. He’s found the CISO role requires thinking strategically across the business and influencing various departments, skills that can be useful when looking to next steps. These strategic skills are highly transferable to broader roles like COO, according to McDonald. In the current role, for example, he must understand customer needs and be able to speak a common language with them. “CISOs need to talk to finance, HR, marketing [and] product to bring about change, alter the perspective of the security landscape with the organization or decrease the risk profile. These skills are highly transferable and position you very well to run any kind of operational team,” he says. “Being a CISO, what you do day in, day out, is to think strategically across the business, not just in your lane. Making one change can impact the entire business and so you have to do a good job of influencing outside of your specific remit,” McDonald tells CSO. Broad exposure to different verticals is beneficial for pivoting to roles like COO because it involves understanding different regulatory and compliance needs. “It helps to think in different ways, not just about the internal requirements, but how they translate into what a customer may need and start speaking in a different language and looking at your organization from both an external and internal aperture,” he says. Although it’s mostly a linear career path, increasingly there’s a large overlap between security and other C-level roles such as CIO and CTO, which opens new opportunities. McDonald suggests that CISOs need to have a grasp on broad business skills that include finance, project management, and understanding legal contracts. “They’re crucial for CISOs looking to transition to roles like CIO, CTO, or COO.” The ability to communicate well remains critical. “As you move up, you need to communicate at an executive level beyond just tactical news and be able to explain clearly the direction you’re going and why, to people who may not have experience with technology or security,” he says. CISO to CIO to VP: Tammy Loper, VP of information technology and security at the University of Tampa Tammy Loper Tammy Loper, VP of information technology and security at the University of Tampa has built a career out of creating and transforming security and technology operations that’s seen her progress from CISO to CIO and now to VP. Through the course of her career, Loper has found that strategic thinking, building strong relationships across the board and gaining buy-in have been integral to workplace success which has translated into opportunities for advancement. “In starting a new security program, I met with every department on campus and analyzed the systems in use, the types of information they process, their techniques, business challenges, and gaps,” she tells CSO. Loper creates a common mission that helps build authority to educate and influence within an organization. It also helps gain visibility — a critical factor in being well positioned for advancement. “If your role is buried in the organization, and you’re trying to push things from the bottom up instead of top down, your visibility might not really be there for trustees to know who you are and what you’re capable of,” she says. CISOs have a unique vantage point in understanding an organization’s processes and positioning security as part of the core mission, and this potentially opens up opportunities for more senior roles. In her case, Loper successfully built a security program and extended that strategy across IT to become CIO. The eventual move to become VP reflected the fact that IT and security needed a certain authority across every unit within the university. The challenge is keeping the dial in the middle between business needs and security needs and CISOs may need to unlearn a singular focus on security. “CISOs can sometimes struggle to make those difficult compromises, but you need to be able to find that balance to meet organizational goals and have the confidence in those decisions,” she says. CISO to mentor and board member: Paul Connelly, board advisor Paul Connelly has held several CISO, CSO and information security roles, including stints in the NSA and the White House, before shifting to technical advisor and board member roles. In that time, he’s seen the change in focus and standing of the CISO role. “When I started, it was all about technical knowledge and now it’s understanding the business and how you affect the business,” Connelly tells CSO. Paul Connelly Today, he regards passion for the job, the ability to communicate and organizational skills as almost more important than any specific background for the role. When it comes to aspirations to take a seat on the board, Connelly has found the skills it takes to be a successful CISO today translate well to such leadership roles. “Part of the evolution of the CISO role has been engagement with business leaders and being involved in strategic decisions and, if you prove yourself setting the strategy, working with other people, and driving successful projects, it really opens doors to the board,” he says. In his board roles, he’s able to bring up things nobody else around that table would have identified or pursue follow-up questions when there’s an update from the CIO or the CISO. “When I think of how important security is to companies, it’s astounding that more don’t have people with our background,” Connelly tells CISO. However, CISOs are not in the frame for board recommendations if they’re not part of the networking circles that include CFOs, CEOs, and existing board members. “Get to know the board members and develop that network of people so when you’re ready, the members of the board are going to be right there behind you and can recommend you.” Connelly suggests CISOs engage with other business leaders and broaden their skills, including becoming involved in workplace committees such as risk or DEI. “It’s vital to get involved in other areas, because boards can’t afford to assign a seat to somebody who only focuses on one area.” Knowledge of the workings of boards is also important, but it doesn’t just always happen organically. “Study what boards do, consider certification through groups like the National Association of Corporate Directors and get some experience by serving on not-for-profits that are always looking for board members.” And look for allies who will support your ambition for a board role. A supportive CEO could provide opportunities to interact with board members as peers and help with directions and feedback on presentations and updates to the board as part of your preparation. “Talk to your senior leadership and let them know what your interests are and see if they could help.” CISO to CSO to investment advisor: Justin Somaini, partner at YL Ventures Justin Somaini, partner at YL Ventures, held CISO, CSO and chief trust officer roles at some of the largest global tech outfits before moving into an advisor role. He sees the CISO role as a multi-faceted role akin to a salesperson. “We’re selling security internally,” Somaini tells CSO. Justin Somaini This means embracing marketing to sell the message, human behavior to understand the audience and their rationale for adopting security and learning to build bridges to get security done. “Security people don’t just do work, we find problems. Then we find the solutions, and we tell everybody else in the company to actually get something done,” he says. It requires understanding the job and function of others and appreciating the challenges and hurdles of those individuals. This creates a natural opportunity for CISOs to learn about how businesses are built and the stepping stones to new opportunities. “If you really push yourself to learn these other functions, you’ll not only be successful in your current role, but also have a platform to get to the next one,” Somaini says. There’s no one right path, so it’s a matter of charting your own course. “A lot of CISOs are trying to figure out what’s next and we’re testing it out for the first time en masse in the industry. But as an industry we do need to figure out what the career tracks are.” Arriving at his current role came through “a lot of small things throughout the years” that included getting to know founders and VCs and then taking advisory roles for VCs and startups. His advice is to expand your network to create opportunities to move into new positions. “When I was at VeriSign, I was introduced to Nir Zuk at Palo Alto [Networks]. It was coming out of stealth; I became an advisor for him, which I never knew was a thing you could do, and I loved it,” he says. As part of a team that selects the next investment, he utilizes his security domain knowledge with experience of how to support companies on their journey of maturity. It means being a “value-add VC” who understands the sales and marketing lifecycle and can provide support to startups that don’t yet have heads of sales or marketing at the early stage. He suggests CISOs consider holding dual-title roles to gain additional expertise and take advantage of the role’s remit across an organization to learn about all facets of a business and build relationships with other departments. “Because they’re horizontal, the CISO can see everything and build those relationships.” Echoing the sentiments of the others, he points to the value of networking that can lead to new things down the track. “Develop and foster relationships outside of the security world to open up new opportunities.” SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe