alphaspirit - Fotolia

Get started Bring yourself up to speed with our introductory content.

What do CISO training programs cover and are they worth it?

CISO training programs, like the Deloitte CISO Transition Lab, are available for those who are new to the role. Expert Mike O. Villegas explains what's covered in these programs.

I recently heard about a training session for CISOs called the Transition Lab. What does a CISO training class...

like this cover? Are there others available in the industry, and are they worth the time and effort?

CISOs need cybersecurity training just like everyone else. Fortunately, Deloitte offers a one-day training session -- CISO Transition Lab -- for new CISO Fortune 1000 clients at no cost, each customized for the individual as they engage in their new venture. Before the one-day CISO training, the Deloitte Transition Lab facilitator will spend about four to six weeks gathering information on the CISO, industry, organization and interview stakeholders. They'll learn about the organization and any particular projects that affect security.

Based on testimonials, this CISO training program appears to have satisfied CISOs. CISO Transition Labs started nearly two years ago and have had over 35 CISOs -- up to one per week -- completing the lab.

Those who have taken the CISO Transition Lab were both internal and external hires; however, the majority of those taking the CISO training do not come from technology fields. This emphasizes the need for CISOs to be business oriented, not just technical. Deloitte currently does not provide this program to SMB-sized companies but the program is still young. It is being expanded into a mentoring program where CISOs can help other CISOs within the same industries. Formal quarterly follow-up sessions are left to the CISO, but a CISO Strategic Vision Lab and CISO Transformation Lab, which includes others reporting to the CISO, can provide additional guidance and interaction.

The EC-Council has a C|CISO certification program focused on the application of information security management principles from an executive management perspective. Carnegie Mellon University also has a six-month CISO Certificate Program designed to enhance the development of CISOs within their organizations. Those who complete this program are eligible for a tuition discount scholarship equal to the total amount paid to complete a Master's Degree in the CISO program.

CISO training should include how to:

  • Develop appropriate jargon in communicating the cybersecurity program to c-level executives;
  • Embed cybersecurity into the corporate culture;
  • Solve intractable cybersecurity incidents;
  • Develop sufficient technical acumen to stand toe-to-toe with IT engineers;
  • Propose pragmatic approaches in dealing with cybersecurity threats; and
  • Earn her right to a seat at the table.

Another form of CISO training is to participate in regional CISO forums sponsored by ISACA and ISSA. In Los Angeles, for example, an informal CISO program exists where regional CISOs sit in a closed room and without reservation discuss issues, challenges, successes, vendor product solutions, executive communications and other topics. They all have a gentlemen's agreement not to divulge topics discussed outside these meetings. This allows for unique open discussions that all present can identify with and learn from.

A ThreatTrack Security survey of 203 c-level executives at enterprises based in the U.S. employing a CISO, revealed 52% of CEOs, 35% of COOs and 43% of CFOs responded that CISOs deserve the blame for security incidents. This same survey stated that 61% of executives surveyed do not believe their CISO would be successful in a leadership role outside of information security.

The CISO enters into this position with undoubtedly strong leadership and technical skills. She understands strategic business objectives, has a good presence in front of c-level executives and has sufficient experience in building an information security program. These are excellent qualities but she should never be satisfied with that. A CISO should be willing to expand her knowledge and skills and exceed management's expectations.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Find out how to promote interdepartmental cooperation as a CISO

Learn how security leaders can create a positive work environment

Discover how CISOs can improve communication with the board

This was last published in May 2016

Dig Deeper on Information security certifications, training and jobs