CyberTalents has launched a series of webinars about cybersecurity jobs named “What is required to work in cybersecurity jobs?”. Throughout our webinar series, we will be talking about different cybersecurity jobs, what is required to work in these jobs? Spotting each job, explaining it in detail, describing its daily operations, resources and training needed, and much more. There are around 15 to 20 jobs in the cybersecurity field. However, before starting your career, you need to identify which one of these jobs you would like to master. Accordingly, draw your career path, build your plan, and reach your ultimate goals.
We were honored to have “Eng. Bahaa Othman” who has about 20 years of experience in different areas of cybersecurity and securing different types of organizations. He is a frequent public speaker in many conferences, webinars, and panels and also provides customized training in different subjects in cybersecurity besides providing consultancy for many organizations. He was the CISO for 3 organizations and has lots of initiatives to support the community. He graduated from ITI in Cyber Security from the first intake and holds a BSc. in Computer Engineering.
In this webinar, he covered a full understanding of the CISO job market and how to start your career in this field.
What are the types of organizations?
1- Typical Environment/Default
2- Static Environment/Critical Infrastructure
3- Dynamic Environment/Software Companies/FinTech
Our speaker describes “How the security team is structured?” like “Football team analogy!”, as the following:
- GRC (Goalkeeper): The one that is responsible for putting the rules for the organization.
- SOC and Monitoring (Defenders): The ones that are responsible for detecting incidents and threats, also sometimes preventing them from happening.
- Architecture and Engineering (Midfielders): The ones that are responsible for operating the security of the organization and they are the most skilled team in the company.
- Security Testing (Strikers): The ones that are responsible for testing and finding issues, bugs, and vulnerabilities.
- CISO (Coach): The one that is responsible for company objectives.
Now let us know “Who is actually the CISO?”
The chief information security officer (CISO) is the executive responsible for an organization's information and data security. And here are some of the main points that our presenter highlights:
- The C-level executive who is responsible for the information and data security for an entire organization or a business.
- CISO Scope differs from one organization to another (Data in all formats even non-digital format)
- CISO is an independent function required by CBE and other regulators.
- The main focus of a CISO is nothing but security.
So, what are the lines of defense in any company?
Octopus?! Nope, he is a CISO :P
What are the Roles of the CISO?
SO, the CISO at least needs to know something about everything! In order to be the expert on the table.
Now let’s deep into the areas of responsibility of the CISO:
- Security Operations
- Cyber Risk and Cyber Intelligence
- Data Loss and Fraud Prevention
- Security Architecture
- Identity and Access Management
- Project and Program Management
- Investigation and 4n6
- Risk Assessment, Mitigation, and Avoidance
- Legal and Regulatory Compliance
- Security Awareness Program
- Budget and Prioritization
- Reporting Security Status
What are the skills/languages that are required to be a CISO?
- Business Knowledge
- Technical Knowledge
IT (Networks, Systems, Applications, Trends (Cloud, DevOps, etc....))
Security (Technologies, Standards)
- Management Skills
- Personal Skills
- Business Language
- Selling Security requirements
- Presentation and Documentation
- Desire to Learn all the time
Certifications, three main reasons where you need to get certificates in our speaker point of view:
1- When you are a fresh graduate
2- If you want to be a CISO
3- If you want to work with service providers companies
What certificates are required to work as a CISO? But keep in mind that the experience is much more important than certificates!
Acquiring Knowledge Resources:
- Start with the Basics (Security+)
- Security Standards (ISO, PCI, NIST, CSC20, GDPR, etc.…)
- Security News
- Vendors Newsletters
- Conferences Presentations
- SANS Reading Room
If I’m preparing for a CISO interview, what is the ideal preparation?
In addition to the required skills that we discussed early in this article, mainly at the interviews, the interviewer cares about the management thinking set that you have, in addition, the image makes a difference so you must look casual, also the reputation matters a lot.
Is the CISO role applicable for all the fields like physical or digital security?
Its dependence on the company to determine your scope, but yes it could involve physical and digital security as long as the objective is to protect the organization.
Are different backgrounds in cybersecurity could be a CISO in future?
Any background is useful to be a CISO as long as you have the required skills, but it would be better to start with an offensive background as a start.