From Cyber Guardian to Boardroom Luminary – A Personal Story About CIO Evolution Parallels, with Career Advice

(This article was originally posted on June 17, 2024, on my Enabling Board Cyber Oversight? blog series as From Cyber Guardian to Boardroom Luminary – A Personal Story About CIO Evolution Parallels, with Career Advice )

It’s like deja-vu all over again.

—Yogi Berra

Introduction

I’ve discussed the CISO role evolving “From Cyber Guardian to Boardroom Luminary” in two previous articles. One was entitled “From Cyber Guardian to Boardroom Luminary—Yogi Berra ,” and it refers to the quote above, which I’ll explain more in this article. The other was entitled “From Cyber Guardian to Boardroom Luminary—Top 5 Actions. ” The Top 5 Actions article was about immediate survival actions that CISOs must take to better connect with their C-suites and Boards.

In both cases, I showed the classic image of a board director inviting a cyber security guy to the big kids’ table. Boards are extending these invitations to cybersecurity managers in all industries worldwide. Some individuals will succeed in their elevated roles; many will not.

The Yogi Berra reference, also cited as the epigraph in my latest book, Enterprise Cyber Risk Management as A Value Creator | Leverage Cybersecurity for Competitive Advantage , is the theme of this article. This article concerns career development and growth as the CISO role evolves from a tactical, technical, and spot-welding or fire-fighting assignment to a strategic, business-focused, architectural role.

The Yogi Berra reference will become apparent as I discuss what I observed and personally experienced over my career as a CIO. The new demands of the CISO and their team are analogous to how the CIO role evolved. I am writing this article to provoke CISOs and aspiring CISOs to take several actions now.

My Personal CIO Career Experiences

As happened when Chief Information Officers (CIOs) began to ‘earn a seat at the table’ decades ago, I observed and continue to observe the significant qualifications gaps between the newly elevated CISO role and what the C-suite and?board require.

Early in my career, I held “top” IT roles with titles like the manager of data processing, manager of information systems, manager of information services, director of information technology, and vice president of information services. These assignments, not labeled as such, were effectively the chief information officer role in those early days. Those of us in these roles typically reported to the chief financial officer (CFO), sometimes to the chief operations officer (COO), but rarely to the chief executive officer (CEO). Management asked me to focus internally on developing software to reduce business costs and improve internal processes, run the networking and computing infrastructure, be an excellent internal service provider, and worry about disaster recovery. The assignment was tactical and technical and involved much spot-welding or break-fix work. Career advancement was based mainly on getting three technical (not business) tickets punched with application development, data center operations, and telecommunications assignments.

The world of top IT jobs started to change due in no small part to Professor Michael Porter’s seminal Harvard Business Review article co-authored with Arthur Anderson & Co. managing partner Victor Millar entitled How Information Gives You Competitive Advantage . What had been largely technical qualifications for the top IT role became more strategic, business-oriented, and architectural requirements. The change did not occur overnight and certainly did not happen simultaneously in every industry. The top IT or CIO role today requires business strategists, process innovators, and executive-level business leaders, not mere service providers. Today’s CIOs must be capable of focusing on business imperatives, interpreting external IT success stories, managing IS executive relationships, communicating IT value, managing applications development, and building an architecture for the firm’s IT.

Here’s how I experienced this evolution. GE did not have a corporate CIO until the late 1980s. When GE filled that position, uncharacteristic of the then-count-on-it, promote-from-within practice if not mandate, GE hired a savvy manufacturing business executive from IBM, Ed Skiko. Ed was not at all a classic “IT guy.” He was a business leader, executive, and manufacturing expert, which were the core of GE’s business model. I had the pleasure of working for Ed Skiko for several years. Ed reported to Jack Welch, GE’s then-CEO.

A few years later, in 1993, Johnson & Johnson (JNJ) similarly established a corporate office of information technology and appointed a first-time-ever CIO. Similarly, historically rooted in a promote-from-within culture, JNJ did not turn to any of the top IT people in its 200+ operating companies in 60+ countries worldwide. They promoted Ron Morris, a senior business executive who ran JNJ’s consumer products business for Africa, the Middle East, and Asia (EMEA). Ron was not at all a classic “IT guy.” He was a global executive with solid relationships worldwide. Ron reported to Bob Wilson, JNJ’s vice chairman, who reported to Ralph Larsen, JNJ’s Chairman and CEO. In the fall of 1993, Ron hired me to standardize and centralize JNJ’s global networking and computing infrastructure.

In the GE and JNJ cases, the elevation of the top IT job required an elevation in the requirements to possess business savvy, executive presence, external customer and market focus, and relationship-building skills.

My last “new CIO” story is about being appointed executive vice president and CIO at Healthways, a $750MM publicly traded population health company based in Nashville. I replaced an individual who was technically competent and very hard-working. He had served in the CIO role for seven years and created a sound IT infrastructure. The company was preparing for the next growth stage and sought someone with more strategic, business-focused, and architectural qualifications. I was fortunate to earn the position.

Over time, while I was a member of the CIO’s team at GE and JNJ, we replaced dozens of IT managers and directors with the right skills for a previous role and era but not the right skills to lead their organizations to leverage information and IT for competitive advantage. Historically, for many who initially received a title change to CIO, it meant “career is over.”

CISO Career Challenge

The CISO role MUST evolve similarly, if not the same way. As the CISO role is elevated worldwide in all industries, many people are expected not to make it in the elevated role because they have not developed the business savvy, executive presence, external customer and market focus, and relationship-building skills described above. In Enterprise Cyber Risk Management (ECRM) as A Value Creator , I discuss ways that CISOs and those in the top ECRM or cybersecurity roles can create business value. These include but are not limited to increasing customer trust and brand loyalty, improving social responsibility, driving revenue growth, and facilitating digital transformation in addition to innovation.

Just as articles such as The rise of the revenue-generating CIO and Companies with a digitally savvy IT unit perform better are appearing today, it won’t be long before similarly titled articles appear about the CISO role.

The required qualifications for the CISO role are already starting to look like the ones I mentioned for CIOs, such as being able to focus on business imperatives and be strategic, think in terms of external ECRM and cybersecurity success stories, manage ECRM and cybersecurity executive relationships, communicate ECRM and cybersecurity value, manage ECRM and cybersecurity program development, and build an architecture for the firm’s ECRM program and cybersecurity strategy. ECRM and cybersecurity technology knowledge will be more critical than ECRM and cybersecurity skills and abilities. The ability to work closely with the C-suite and board to establish, implement, and mature your ECRM program and cybersecurity strategy is not a tactical, technical project. It is a strategic transformational business program that requires a strong executive.

Career Actions for CISO’s to Take Now

In “From Cyber Guardian to Boardroom Luminary—Top 5 Actions ,” these recommended actions focused on connecting with the C-suite and board and not on career advancement and included talking up cyber opportunities, engaging more with the C-suite and board, connecting to core board concerns (e.g., strategy, risk management, talent management), getting excellent at cyber risk management, and then pivoting to cyber opportunity management.

Here, I provide several specific career development considerations:

1. Find a business mentor in your organization. Do not choose your organization’s CIO as a mentor, whether you report to them or not. Short of your CEO becoming your mentor, I’d try for the CFO or your COO, who should care a lot about cyber risk exposures and business value creation opportunities.
2. Study, research, and learn the new business qualifications emerging for CISOs. I recommend researching how the CIO role has evolved over the last four decades since the changes will be similar. Research is being done, and books are being written on the new evolving CISO role. Some examples are The Phantom CISO: Time to step out of the shadow , The CISO Evolution: Business Knowledge for Cybersecurity Executives , or So, you want to be a CISO (Chief Information Security Officer): A practical guide to becoming a successful cybersecurity leader .
3. First, consider an MBA, not a Ph.D. in cybersecurity. I don’t have either, so this recommendation has no inherent bias. I thought about a Ph.D. in cybersecurity but abandoned that pursuit after assisting several Ph.D. candidates with their theses and seeing that most topics remained technical, tactical, and esoteric. That’s not what your business needs more of.
4. Hire a professional coach. Either directly or through programs like the IANS Executive Competencies program, complete a baseline competency assessment and build a plan of action to learn additional business leadership skills. Engage an accountability coach to guide you.
5. Engage with externally focused business leaders. Meanwhile, as they say, don’t just stand there, do something! Ship your focus externally to the market and customers you serve. Depending on your organization’s size, nature, and complexity, this may involve connecting with multiple lines of business leaders. I’m reminded of the classic Harvard Business Review article published twenty years ago, Staple Yourself to an Order , as one of the best ways to understand and see your business through your customers’ eyes.

Summary

If the CIO acronym were translated to mean “career is over,” with the increasing number of data breaches and cyberattacks occurring in all industries, we already see the CISO title translate into “career is seriously over.” Don’t let that happen to you. While the fate of many hardworking tactical and technical top ECRM and cybersecurity folks may be cast for some, if you follow the advice provided in this article, you will be in a better position to determine your career fate.

This article covers some essential career considerations for individuals in top ECRM or cybersecurity roles, but it’s just the beginning. To provide a broader context of what organizations need in their CISOs and delve deeper into the critical aspects of enterprise cyber risk management, from identifying and prioritizing risks to setting strategic objectives and securing leadership buy-in, get your copy of Enterprise Cyber Risk Management as A Value Creator today.