The Aspiring CIO and CISO E-Book

The Aspiring CIO and CISO

A career guide to developing leadership skills, knowledge, experience, and behavior

David J. Gee

The Aspiring CIO and CISO

Copyright © 2024 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Dhruv Jagdish Kataria

Publishing Product Manager: Dhruv Jagdish Kataria

Book Project Manager: Ashwini C

Senior Editor: Apramit Bhattacharya

Technical Editor: Arjun Varma

Copy Editor: Safis Editing

Proofreader: Apramit Bhattacharya

Indexer: Hemangini Bari

Production Designer: Vijay Kamble

DevRel Marketing Coordinator: Marylou De Mello

First published: June 2024

Production reference: 1200624

Published by Packt Publishing Ltd.

Grosvenor House

11 St Paul’s Square

Birmingham

B3 1RB, UK

ISBN 978-1-83546-919-4

www.packtpub.com

This book is inspired by My wife Anna, the love of my life, my best friend, and the best teacher that I have ever had. My family - You will never know how proud I am of what incredible adults you have grown up to be. To my grandkids, Azalea (Azzy) and Harrison (Harry), who are the apples of my eye and whom I love dearly. Finally, of course, my parents David and Cindy, who have long passed this world, but whose positive role modeling I try to live up to everyday. (I’ve been a very blessed person.)

Foreword

For many IT professionals, the roles of Chief Information Officer (CIO) and Chief Information Security Officer (CISO) represent the pinnacle of their careers. The roles are challenging and demanding, and they offer the incumbents the opportunity to have a significant impact on the success of an organization. But how do you get there? What skills and experience do you need? How do you develop yourself to become a strong candidate for these coveted positions?

In this book, The Aspiring CIO and CISO, David shares his insights and experiences to help you navigate the path to becoming a CIO or CISO. David guides you through the critical aspects you need to consider.

My own career has been a wonderful journey of learning across different roles and companies. I didn’t have any such reference that I could rely on and had to learn by myself. The book specifically talks about building a career as a CIO and CISO, and I would support that having this ability to pivot across both domains is a real career advantage.

This book is not just about getting that dream job; it’s about building a fulfilling and successful career in IT leadership. Whether you’re just starting out or looking to take your career to the next level, The Aspiring CIO and CISO provides the roadmap you need to achieve your goals.

I encourage you to take this journey and turn your aspirations into reality.

Darryl West

Former Global Group CIO, HSBC

Contributors

About the author

David J. Gee is a husband, father, and grandfather who just happens to have had the privilege of spending more than 25 years as a business leader in the roles of CIO, CISO, and technology, cyber, and data risk executive.

David has an eclectic background as a transformation change agent who has lived across five countries and worked in different industries, including banking, insurance, pharmaceuticals, building products, and media.

He won the Australia CIO of the Year in 2014 for a successful core, mobile, and online banking tranformation and the Global Leaders Award from FS ISAC in 2023 for his contributions to cybersecurity in financial services.

David has reinvented himself throughout his career and is now transforming into a non-executive director and board advisor. He is an avid writer and has published a few hundred articles for CIO, Computerworld, CSO (cyber), and ITnews. His articles have been translated into multiple languages.

As a venture capital partner, David has enjoyed connecting fintech firms with enterprises and helping these start-ups scale and grow.

About the reviewers

Sibylla Muecke is passionate about unlocking value for businesses through better decision-making. She is a lawyer with certifications in information management and leads initiatives in financial services across data, records and risk management, and regulatory policy and compliance.

Sibylla has received recognition and innovation awards throughout her domestic and international experience for contributions to business efficiency and building organizational capability.

Lily Couper is an emerging technology professional, currently specializing in technology, cyber, and data risk at Macquarie Group.

Lily is at the early stage of her career and pondering over longer-term career options, hence she has a strong personal interest in the subject matter of this book. She has a bachelor's degree in history as well as a bachelor of engineering degree with first-class honors from the University of Sydney.

Table of Contents

Preface

Part 1: Your Journey to Becoming a CIO or CISO

1

Starting the Journey to Become a CIO or CISO

Understanding the CIO and CISO roles

The role of the CIO

The role of the CISO

Introducing the CIO career path

Introducing the CISO career path

What is your current brand?

To be a CISO or CIO, what do you need to change?

Summary

2

How to Develop Yourself to Be a CIO or CISO

Building your development plan – The SKEB model

Soft skills are hard – Why do they matter?

Understanding the gaps in your soft skills

Summary

3

Executing Your Career Path to Becoming a CIO or CISO

Developing your objectives

Building a plan to make you grow and be uncomfortable

Paths to becoming a CIO or CISO

Thinking two jobs ahead

Introducing an algorithm to accelerate your own growth

Exploring career approaches to progress

Reviewing the CIO and CISO interview process

The external CIO/CISO role

The internal CIO and CISO role

Selection as the preferred candidate

Summary

4

CIO and CISO Interview Tips

Prework and orientation

The interview

CIO questions that you may be asked

CIO interview questions for you to ask

CISO questions that you may be asked

CISO interview questions for you to ask

Summary

Part 2: What to Do in the First 90 Days

5

CIO – The First 90 Days

Understanding the need for a 90-day plan

A brief overview of my first CIO 90-day plan

Exploring People in the 90-day plan

What does success look like?

Understanding key players

Creating your brand

Engaging your peers and staff

Assessing and building a team

Exploring Process in the 90-day plan

Understanding how IT engages a business

Establishing personal key metrics

Accelerating business learning

Exploring Technology in the 90-day plan

Reviewing the IT strategy and strategic projects

Fixing critical hygiene issues

Understanding Ops and Security

Sending the right message

Building your plan for the first 90 days

Asking yourself the hard question

What are the show stoppers?

Rinse and repeat

Summary

6

CISO – The First 90 Days

A brief overview of my CISO plan for the first 90 days

Exploring People in the 90-day plan

What does success look like?

Understanding key players

Assessing the cyber team

Building your future team

Exploring Process in the 90-day plan

Understanding how Cyber engages the business

Establishing risk metrics

Accelerating business learning

Understanding cyber governance

Exploring Technology in the 90-day plan

Reviewing the cyber strategy and roadmap

Understanding the security baseline

Understanding security operations

Understanding the regulatory book of work

Building your plan for the first 90 days

Summary

Part 3: Being the CIO or CISO

7

Moments of Truth (When You Accelerate Your Growth)

Building a team

Building a partnership to deliver

Handling a critical hygiene issue

Dealing with aftershocks

Having a sense of duty as opposed to loyalty

Dealing with your first cyber attack

Building a risk culture

Being totally honest

Getting the CISO and CIO aligned

Summary

8

Understanding the Pressures CIOs and CISOs Face

The weight of being a leader

Exploring a day in the life of a CIO

A day in the life of a CIO

The stress felt by different CIOs

Exploring a day in the life of a CISO

A day in the life of a CISO

Stress felt by different CISOs

How the CIO and CISO manage stress

Summary

9

CIO and CISO Survival Skills

Exploring Maslow’s theory in the context of CIOs and CISOs

Building a strong foundation

Making the right career choices for yourself

Recalibrating your stakeholder analysis

Cultivating skills to ensure longevity

Building strategic alliances

Finding a mentor

Effectively managing political situations

Maintaining continuous growth

Summary

Part 4: What’s Next in Your Career?

10

Looking for the Next Elevator

Why look for the elevator?

Choosing the next elevator

The transit lounge

Leveling up to build your career portfolio

Holding the door open for your successor

Summary

11

Risk Management as a Career Option

Why Risk Management is a viable option

Why might you want to cross over?

Risk Management as coaching

Finding your way to become a coach

Summary

12

What CIOs and CISOs Do in Retirement

Looking at retirement as a new beginning

Figuring out how old you should be when you retire

Looking at a few post-career moves for CIOs and CISOs

Planning your transition to boards

Planning a transition into board advisory

Climbing a different mountain

Summary

Appendix

Index

Other Books You May Enjoy

Preface

Imagine that you are at the bottom of a mountain and making your way up the path. There is snow at the top of it and, along the way, many pointy rocks to navigate. Your destination is the summit, and there are many approaches that you can take to climb.

This book is intended to be your guide to reaching the summit of your career aspirations. I hope this book inspires the aspiring CIO and CISO to reach their career objectives. You can choose to walk up the mountain or take the gondola lift. The journey on the gondola lift will still have bumps, but you are able to traverse the distance safer and faster.

Being a CIO or CISO is an incredibly rewarding career journey. You will experience much personal growth and learning and face a new challenge to tackle every day. For many of you, that will be the key motivation for taking on this role, not the status, prestige, or rewards that may come from this position. It might be considered a personal test to see how much you can develop yourself.

There are many tricks and traps along the way in the career of a CIO and CISO. How can you prepare yourself for this journey? I recommend that you reflect on where you are and what you need to transform to make this a reality. I used the word transform on purpose as each leader will need to stretch into this new form.

Who this book is for

You are probably reading this as you would like to be a CIO or a CISO. Regardless of what stage you are at in your career – from starting out to being a senior manager – you might feel that there are gaps that you need to address to make this journey.

I’ve titled this book The Aspiring CIO and CISO on purpose as I have taken on both roles during the course of my career. Hence, I would encourage you to evaluate these opportunities equally. Both are worthy ambitions to pursue.

What this book covers

Chapter 1, Starting the Journey to Become a CIO or CISO, is the starting point of this journey. This chapter helps you to understand your current brand. Your brand is what qualities others associate with you. Your personal brand will dictate whether you are successful in becoming a CIO or CISO. The brand will shape your journey and prescribe what actions you need to take to address any of these perceived gaps. Thus, understanding what to refine and improve is a key factor.

Chapter 2, How to Develop Yourself to Be a CIO or CISO, explores the Skills, Knowledge, Experience, and Behavior (SKEB) that a CIO and CISO will require. There is a focus on soft skills that the CIO and CISO should aim to possess, and certain specific soft skills for these roles are essential. By the end of the chapter, you will know how to complete your own soft skills gap analysis and set some objectives to progress with these.

Chapter 3, Executing Your Career Path to Becoming a CIO or CISO, reviews how you can create your career and position objectives for your CV. The concepts of stretch and becoming comfortable with being uncomfortable are explored. We look at how to connect the dots on your career plan and try to think two jobs ahead, to ensure that you understand what SKEB you want to gain for this role to enable you to reach this position. I will introduce the concept of growing others to grow yourself. I also discuss different career path approaches that you may not have contemplated. Finally, we will review the CIO and CISO interview process.

Chapter 4, CIO and CISO Interview Tips, will delve into interview preparation to land your next CIO and CISO role. I outline the 25 most common questions that a CIO and CISO may be asked. Then I suggest 20 questions, which you should consider choosing two to three from, to ask the interview panel. By the end of the chapter, you will be ready to nail the interview.

Chapter 5, CIO – The First 90 Days, will show you how to build a plan for starting out as a CIO. I have included a template and described the work required to shape your own plan. There are working examples of how to engage stakeholders, review your IT strategy/roadmap, and engage your new team. I also talk about accelerating your own business learning and the key metrics that send a message to your team and key stakeholders. Then there is a retrospective review to see whether you need to update your 90-day plan for the next cycle. By the end of the chapter, you will be able to develop your own 90-day plan that is tailored to your new role as a CIO.

Chapter 6, CISO – The First 90 Days, will teach you how to develop your own 90-day plan for a CISO. There is a cyber strategy/roadmap to review and also stakeholders to engage. Once we have understood the stakeholder engagement mapping and plan for the CISO, we will work through an example. The new CISO has to orientate on key risk metrics, and some best practices are noted. There is a review of cyber governance processes, including frameworks to adopt. By the end of the chapter, you will be able to develop your own 90-day plan that is tailored to your new role as a CISO.

Chapter 7, Moments of Truth (When You Accelerate Your Growth), provides examples of when a CIO and CISO really take on their roles. These are moments that accelerate your learning and gain you respect from your key stakeholders and team. These are moments when you define yourself, and a few scenarios are explored to illustrate how this experience will reinforce positive behaviors.

Chapter 8, Understand the Pressures CIOs and CISOs Face, talks about the stress and pressure that is faced in a day in the life of the CIO and CISO. There are different types of CIO and CISO, and the stress indicators can vary dramatically based on the natural style that you bring to the table. Then, as a CIO, you have to work effectively with the CISO (and vice versa). Where you are both aligned and not aligned will have to be considered.

Chapter 9, CIO and CISO Survival Skills, explores Maslow’s theory and how it applies to CIOs and CISOs. With this, detailed stakeholder analysis and approaches can be carried out and provide you with some valuable insights to manage these relationships. There is a discussion around building alliances and when to also look externally for mentors and coaches. Finally, we look at how to avoid workplace politics and ways to navigate certain difficult scenarios.

Chapter 10, Looking for the Next Elevator, deals with what you should do if you don’t feel the role is a good fit. We will essentially evaluate what the right buttons to press are. There are times when a consulting gig makes sense before you consider returning to another CIO or CISO position. Taking a more holistic bird’s-eye view and reflecting on your career will mean that you consider your life and career decisions closely coupled. Then, when you are ready to leave, we will explore how to efficiently hand over to your successor.

Chapter 11, Risk Management as a Career Option, is a bonus chapter in which I take you through a career path that you have probably never considered. I explore how your battle scars and SKEB have prepared you perfectly for this alternate career path. The chapter discusses a very different model of risk management than is typical, modeled on being a coach rather than a player, referee, or even spectator. By the end of this chapter, an alternative career door could have been opened.

Chapter 12, What CIOs and CISOs Do in Retirement, is the final chapter, where you will learn about the mountains you might want to climb next. We will explore some of the motivations you might have and the post-career moves that you can make. Again, given we want to always think two steps ahead, now that you are a CIO and CISO, you need to think about what is next. We will reflect on how to consider this to position yourself better for the future.

To get the most out of this book

As everyone will have a different starting point, you may want to read ahead to specific chapters depending on what is relevant to the position you are in. My guidance is that you start off by reading the first few chapters and then jump ahead to any chapters that are most relevant to you.

You will certainly have questions that you want to try to resolve, so in anticipation of this, I have made a note of 100 questions in the Appendix that you may have that this book can help you to try to answer. As you are working your way through this book, you may find that you want to make note of some additional questions that you would like to be answered. It is also up to you whether you want to satisfy your curiosity and jump to a chapter that answers a specific question, and not necessarily read this book from front to back.

Again, that’s your choice, and your life and career are very much a journey of discovery. Each of us has to take this journey in a manner that works and makes sense.

Here are some key questions to ask yourself, numbered to correspond to the chapter in which they are answered:

I’m sure that there will be many more questions that arise in your mind as you read this book. Indeed, I’m confident that you will encounter new questions to be addressed, and there are some areas where I won’t be able to provide you with guidance.

Enjoy the journey and see you on the other side as you rise into your new role!

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you’ve read The Aspiring CIO and CISO, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Download a free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

https://packt.link/free-ebook/9781835469194

Part 1: Your Journey to Becoming a CIO or CISO

In this first part, you will get an overview of the role of the CIO and CISO and will start mapping your own personal journey to this destination. We will cover the development of your brand and your overall gaps across skills, knowledge, experience, and behavior (SKEB). We will talk about how to reflect on your soft skills and go outside of your comfort zone to grow as you prepare for the role. We will explore how helping others develop will help you get ready faster and be successful in a CIO or CISO position. Getting the CIO or CISO role will be challenging, so interview preparation is key. We will look at the questions that might be asked in the interview and then how best to ask probing questions yourself.

This part has the following chapters:

1

Starting the Journey to Become a CIO or CISO

This book is for leaders who aspire to be a Chief Information Officer (CIO) or Chief Information Security Officer (CISO) and provides practical guidance as to how to build a career as a CISO or CIO. You’ve likely opened this book as you have a desire to achieve one of these senior positions. There are few more challenging and interesting roles than these. I’ve written this book as a guide to a younger version of myself, when I was filled with more questions than answers and some degree of uncertainty about the direction of my career.

The fundamental question that is to be addressed in this chapter is as follows:

Why do I need to build my own brand to be a CIO and CISO?

Although the career path to be a CIO is traditionally different from that of a CISO, this book could also be for leaders who aspire to be a CIO and CISO. Many IT professionals would naturally not consider both as an option and will instead choose only one of these tracks. This book will provide insights into tackling either or both career paths. You might want two shots on goal or one – either would lead to a great and rewarding career. However, having a choice is a powerful option to consider.

In this chapter, we’ll gain a deep understanding of what these roles entail and touch on the typical career paths that have taken many on the journey to become a CIO and CISO. Then, we’ll look at defining your personal brand and what you may need to change to achieve either of these career paths. This is because having a good understanding of your personal brand is a critical step on your path to becoming a CIO or CISO. Should you embark on this journey without a clear understanding of your brand, then it will only make it more difficult.

In this chapter, we will cover the following main topics:

Understanding the CIO and CISO roles

You likely already have a fundamental understanding of these roles. It is also likely that you have worked for a CIO or CISO or directly reported to them, and that you have made some personal observations about what the roles entail. We should, however, note that no two CIO and CISO roles are exactly the same, and there will be some differences in their responsibilities. First, let’s look at the role of the CIO and what it requires.

The role of the CIO

The role of the CIO has changed dramatically over time. It has evolved over many years, with different titles and responsibilities, as IT itself has grown and developed. Some examples of former titles of the role are as follows:

Despite the variation in the title, the CIO has always been principally responsible for managing IT infrastructure and operations. This role of overseeing technology has evolved from centralized mainframe systems to distributed computing, and now, cloud-based processing.

The CIO has seen their responsibilities morph with tasks added and removed. This was caused by the role becoming too large for one individual and by the expansion of the skills required. As these changes occurred, there were new C-suite colleagues added to some organizations, and these include the following:

In large, complex enterprises, the CIO may cover all or some of these roles. We should expect that this rate of change will continue, given that technology continues to strategically drive change in organizations.

In a classic sense, the specific responsibilities of a CIO usually include the following:

It’s clear that the role of the CIO is more important than ever. CIOs are responsible for ensuring that their organizations have the technology they need to be competitive and successful. Let’s look at some key points in terms of how this role has changed over time.

Traditional CIO

Today’s CIO

Run legacy business

Design new digital business

Automate processes

Transform business processes

Conduct internal operations

Engage in design thinking (customer experience)

Oversee centralized IT

Implement distributed cloud model

Table 1.1 – Changes in the focus of the CIO role

There are CIOs that would be a mix of these two extremes, as well as individuals that operate at each end of this spectrum. Next, let’s look at how the CISO role has evolved.

The role of the CISO

In contrast to the CIO role, the role of the CISO is relatively new but has also evolved. The position was previously called Information Security Manager, Vice President Information Security, or some other similar variation. However, the role is not the same – as cybersecurity became more strategic, this role became elevated in seniority. The CISO’s role is simply to defend the enterprise data, systems, and assets from cyber threats. The CISO is the most senior-level executive responsible for protecting the organization, and their role usually includes the following:

The following table outlines the changes in this role over time:

Information Security Manager

Today’s CISO

Manage security operations

Develop a cyber strategy

Implement security projects

Deliver a cyber transformation program

Manage unauthorized access to data

Manage enterprise risk and posture

Oversee developer access

Drive DevSecOps

Table 1.2 – Changes in the focus of the CISO role

As cybersecurity has become more critical for enterprises, the role of the CISO has evolved into that of a strategic leader who works with the board and management. The CISO can also be asked to interface externally with regulators, customers, and partners.

Now let’s look at the typical career trajectories that can be followed to become a CIO.

Introducing the CIO career path

The CIO career path often follows the route of being promoted for strong delivery, particularly of evident transformation efforts acknowledged by the business executives. As such, there is a stronger weighting of CIOs who have a program and project delivery background than operational experience. As cyber-attacks spread across all sectors, we see that the CIO must pay more attention to cybersecurity. The CIO can only ignore cybersecurity at their own peril, as the stakes are high, and reputations can be severely impacted.

With that said, there are many paths to becoming a CIO. Here is an example of a typical CIO career path:

This example is very close to my own experience of becoming a CIO. There are more roads to becoming a CIO, and what is key is developing a brand that your stakeholders will associate with their idea of what a CIO is. Once you reach the CIO role, then the journey is not over and there are more senior CIO roles – Group CIO, CIO in larger enterprises, industries, and companies with more complex challenges to tackle.

Next, let’s look at the CISO career path.

Introducing the CISO career path

The role of the CISO, as I have mentioned, is newer than the CIO role and is thought to have first appeared late in the 1990s. There is much more variation in how someone gets to become a CISO. In my case, my path shifted from that of a CIO to a CISO path after a long CIO career, managing CISOs and Information Security Managers for many years. However, as with the case of CIO, there are many paths to becoming a CISO as well. Here is an example of a typical CISO career path:

The career path of the CISO has also been influenced by the acute shortage of staff with a security background. Hence, staff that have adjacent skills, knowledge, experience, and behavior, such as people experienced in network and cloud, can quite easily transition to this career path. There is also a well-trodden path of staff that have come from defense backgrounds, with operational intelligence experience, that have forked onto the CISO career path.

Now that you’re familiar with the CIO and CISO roles, let’s look at how your personal brand can help you on this chosen career path.

What is your current brand?

Your personal brand may or may not be clear to you. Your current brand can help or hinder the career ambitions that you hold. What I always have believed to be the litmus test for your personal brand is to find out the following: What do people say about me when I am not in the room? Like it or not, that is your personal brand.

There is no right or wrong brand. There are different types of CIOs and large variations in CISOs. However, your brand will be a constraining force that could cause friction against your ambitions. Do some analysis by writing down on a blank sheet of paper the attributes that you think others would say you have. These will be, by nature, both positive and – dare I say – negative traits. The following are examples of some positive traits of mine:

Figure 1.1 – David’s brand

Once you have drafted what you believe are your qualities, this can be tested by asking your colleagues and supervisor for their inputs. My advice is to not show them your draft – instead, let them know you are reflecting on career ambitions and want to get a baseline of your personal brand. Your partner at home can usually also easily provide this feedback. Finding someone that you trust who has your best interests at heart but who is also willing to be honest and provide you with these insights is critical.

Remember your brand is what people say about you when you are not there, so this may be quite difficult, and perhaps also confrontational, for the person that you have requested this input from. Indeed, it could also be difficult for you.

Taking this example, the question is What parts of my personal brand can I change? It may not be possible to change traits, so this will require deep reflection and thought.

To be a CISO or CIO, what do you need to change?

You will have been exposed to one or many different CIOs and CISOs in your career. They too will have a personal brand and you will have taken note of their attributes, and will also have noted which of these are the weaker and stronger traits. These CIOs and CISOs may either be ones that you have worked for or observed in broader industry events and collaborations. I’d say that the larger the sample set, the better your sense of what good looks like – and, for that matter, what bad looks like. Both ends of the spectrum can give you traits to copy and avoid.

Taking my own example, in my opinion, it is fitting to first focus on strengthening my positive traits rather than trying to address my weaker points. For most of my career, I’ve been told that strategic thinking is one natural strength that I possess. While I’m not sure when this became part of my brand, I would note that there is some element of this being innate – meaning I was born this way. However, I’ve also learned that this is what I care about; I have a strong personal interest in sharpening my thinking and honing this strength. Being a strategic thinker is a very good attribute that a CIO or CISO should possess. However, it may not be what you have documented in your assessment, and, indeed, not all in the CIO/CISO C-suite have this trait as a strength.

In my case, I’ve learned that what is behind this drive to continually sharpen my sword is a personal insecurity that I will become unessential and outmoded in this world of change. For a person who has made a career of delivering transformational change, this may sound a little silly, but the key is that I try to understand why I ruminate over certain things and exploit this for my own personal development.

As a CIO or CISO, one of your key responsibilities would be to develop an IT and cyber strategy. A strategy is simply deciding what to do and what not to do. In practice, it is not that easy, and the more that you do this, typically, the better you will become at mastering it. How you practice this will depend on where you are in your current career – we will cover in the next chapter how to develop these action plans.

But let’s continue with one of my examples – high energy. For me, this is a natural trait. I get energy from discussing ideas with others and making progress. In any normal meeting, I will be noticed for being habitually active and asking the right questions at the appropriate time. I use these interactions to learn about topics and understand the facts. Using my confident and intuitive nature, I sense the direction in which things should move and don’t lack the courage to test the positions of others.

A CIO or CISO doesn’t need to be a high-energy individual – in fact, most of the people that I have met are not. Many are reserved and analytical. To me, the secret is answering the following questions:

Your personal brand will be what management or a recruiter will consider when you are in the selection process for a CIO or CISO role. They will review your CV and experience, accompanied by a reference check. The interview processes for these senior roles are usually much more robust than any other process that you will have encountered.

I once secured a CIO role that required 15 face-to-face interviews, via video conferencing – with one of them being held at midnight to meet the Global CIO of the enterprise. Some of those types of interviews are for selection and many others are to check your social fit with colleagues, peers, and – at times – even direct reports. There will be different selection methodologies applied and questions to probe strengths and weaknesses.

This will often involve probing weaknesses from the psychometric tests you might be required to complete. Moreover, the interview panel always looks at team fit, and whether they think your style will work in the new role. As CIO and CISO roles are considered strategic for the enterprise, they will want to understand your personal brand and how your leadership will drive the organization forward.

The reference checks for senior roles are particularly robust and there will be questions around how the candidate operates under pressure and how they are valued in their current role. If there are signals that the candidate’s personal brand is not consistent with what is being portrayed, it could signal the end of the process for the candidate. Being trustworthy and trusted is a critical part of your brand if you ever want to be a CIO or a CISO. Moreover, it is important to be who you are. That said, everyone, including me and you, has areas to develop and improve. This is the most critical advice that I can give you at any stage of your career when you aspire to be a CIO or CISO.

The following figure is an example that highlights my brand and attributes that colleagues have provided feedback to me on:

Figure 1.2 – David’s brand as perceived by others

Seeking feedback from a broad range of people and getting honest input is important. I have learned that strengths can be good attributes, but if they’re overused, then they detract from my brand.

You will also notice that there are more positive than negative feedback points. This is a natural part of the process – when I provide feedback, it is always important to have balance, and this does not mean equal numbers. Humans have a natural tendency to over-focus on negative feedback. Hence, we should always attempt to offer twice as many positive as negative points.

In my example, for all three negative traits, I have made a conscious effort to develop in those respects and make the traits less obvious. If I re-did my assessment today, I would certainly strike off two of the three as being part of my brand. For instance, Bringing others with me and Attention to detail can now be considered as strengths of mine. You may be asking how I addressed this gap. It has taken years of focus and concerted effort to do the things that I now do well. There is no secret – just be aware of the perceived gap and reflect on it as you take action in your role. If you have a proactive and positive view of bridging the gap, then it can be addressed. Of course, you should take feedback from your team and stakeholders – that is a simple way to conduct a pulse check on these areas.

Summary

The path to becoming a CIO or CISO is not an easy one. There will be numerous obstacles on your path when climbing that mountain. The route can be slippery with some jagged rocks, and as you ascend, there will be unwelcoming, cold conditions to greet you. But this is a journey and challenge that you want to take on.

In this chapter, you were introduced to the potential career trajectories of a CIO and CISO. This should help you have a better idea of where you currently are on your journey. You were then introduced to the idea of a personal brand. This can essentially be considered the starting point of your journey to understand your current brand. What do others say about you when you’re not in the room? These are your strengths and areas for improvement. There will always be work-on items. The real question is whether you have truly embraced this or just begrudgingly listened when this feedback was provided. Your personal brand will dictate whether you can achieve a CIO or CISO role. Your brand will shape your journey and prescribe what actions you need to take to address any perceived gaps.

The next chapter looks at an approach to developing yourself according to your own personal career goals.

2

How to Develop Yourself to Be a CIO or CISO

Some of you may aspire to be a CIO or CISO. The goal of this chapter is to provide insights that will help you progress in your career to become a CIO or CISO. In many ways, this will give you two shots on goal for two very senior and strategic roles. There are also other roles adjacent to that of the CIO: chief technology officer and chief digital officer. This chapter will provide insights that are applicable to all of these roles as many of these roles are interchangeable in terms of the attributes required.

The fundamental question that is to be addressed in this chapter as follows:

How do I develop my skills, knowledge, experience, and behavior to be a CIO or CISO?

To successfully achieve your career goal, you will embark on a journey that will require you to change and grow. There are very few individuals who are ready from the get-go to be a CIO or CISO.

Therefore, the question is where do you invest the most effort to get this payback? Every road will take you to a destination, and each path can be rewarding and fulfilling; it just depends on what you seek.

In this chapter, we will cover the following topics:

Building your development plan – The SKEB model

Many years ago, in one of my expatriate CIO assignments, there was a strong focus on developing the middle management of a large organization. The CEO, who was my manager, had a dilemma: there were many senior executives who performed well but did not develop their direct reports effectively. For many years, they had been recruiting strong MBAs or other reputable graduate degrees to enhance the skill level of the team; however, there was a fundamental issue – the professional development plans of the teams were weak. This resulted in slow development, and often, staff with high-potential left for greener pastures.

The CEO decided to have a senior manager, who would develop a good development plan framework and act as a role model for the rest of the team. Then they would teach the middle management in all-day training sessions, rather than using external specialist trainers or consultants. This would send a message to staff that the exercise was critical and had to be taken seriously. Each of the executives was taught a simple but powerful approach, the SKEB model, that was easy to remember and action with their teams. The SKEB competency model is a framework first developed for evaluating the skills, knowledge, experience, and behavior of individuals in the construction industry. This model has now been applied more broadly. It is used to assess an individual’s ability to perform their job effectively and safely. It can be represented as follows:

Figure 2.1 – What is SKEB?

The model is simple but powerful, and I’ve applied it across many industries and large enterprises. When you are young and want to grow in your career, your focus is naturally on the development of skills and knowledge. These are foundational elements that can be transferred from role to role and will be used throughout your career. There are some skills, such as database management, programming, and project management, that are immediately transferable between companies. Early in my own career, I learned to develop these skills, which became a solid foundation that I still use every day in my roles as a CIO and CISO.

Some examples of skills that I have been able to apply across industries, companies, and countries are as follows:

The key when starting out in your career is to seek out roles that enable further development of these types of skills. When you become a CIO and CISO, there will be less time and opportunity to develop these skills and your focus will be on experience and behavior. These are a combination of business and technology skills, together with soft skills, which we will discuss later in this chapter.