No Comments

What does it take to become a CISO?


Chief Information Security Officer (CISO) is one of the most responsible positions in the area of ​​information security. CISOs are the professionals responsible for ensuring that the board of directors, the CEO and the company, are concerned with data security, identifying the main threats of a business and what can be the financial impacts in case of incidents, Besides develop strategies information security efficient.

His routine is summarized in develop, implement and update security strategies, making sure that the company operates with awareness to avoid any unwanted surprises. CISOs are multitasking executive-level professionals who also respond to security incidents and data leaks.

In Brazil, we know that there is a high demand for qualified security professionals. This scenario is even more defined, when it comes to hiring a professional qualified to lead a team that communicates directly with the CEO and investors, in addition to being responsible for company data and able to justify publicly, in case the company is involved in data leaks or lack of compliance with the General Data Protection Law (LGPD).

Because they are level C professionals, that is, heads of sectors, CISOs have good salaries. However, in the Brazilian reality, wages are quite varied, it all depends on the size and the company’s relationship with data. According to Glassdoor, a website that collects information on the labor market in Brazil, the average salary for CISOs is R $ 21 thousand per month.

But, what is needed to work as a CISO in Brazil? The Hack contacted Burt Lima, CISO of RecargaPay and Galeno Garbe, CISO of Sky Brasil, who explain that there is no determined way, much less fast, to get a position in the position, since companies can be very individual and with specific needs, in addition to being a position that requires experience and technical knowledge.

For Burt Lima, who worked in the security of Redecard and Itaú, although extensive technical knowledge and being always up to date is essential, have a good posture and be able to translate the cybersecurity technical landscape for board members and the CEO are the indispensable points for those seeking a position in the position.

“Good executive posture and being able to speak a technical language in a simple way, which helps to show the risks of a process, helps a lot. The market looks for technically versatile people who disappear with their experiences and knowledge”, says Burt.

Galeno Garbe, who led the information security of companies such as Bitcoin Market, Uber, Movida and Sky, explains that to become a CISO it takes a lot of investment time and professional experience. “You can’t get someone out of college, put them on a training program to be CISO. This is impossible. It is necessary that he walked in the cybersecurity areas, passed through each of the disciplines and that he has a natural leadership profile “.

Photo: Evgeniy Shkolenko via iStock.
Photograph: Evgeniy Shkolenko via iStock.


For Burt, the issue of education and training is a very important point in this journey and although the courses in the area are expensive and in some cases even insufficient, the possibility of studying on the internet is a very accessible alternative.

“It is difficult to find quality training, because in addition to being expensive, some still do not deliver good content. Knowing the area technically and having different skills enable better visibility of the market. Thanks to technological developments, we were able to access a lot of information and knowledge, things that in the past were very complicated “, recalls Burt Lima.

As in any technology position, certified professionals are valued. There are several information security certificates available. Certificates Certified Information Systems Auditor (CISA) and Certified Ethical Hacker (CEH) they are of a more general character, but they are nonetheless important.

As for management positions (CISOs and CSOs), the market seeks planning professionals who have technical knowledge combined with administrative knowledge.

Certificates Certified Information Systems Security Professional (CISSP) it’s the Certified Chief Information Security Officer (CCISO) are specific to these positions. However, investing in a traditional degree and a Master Business Administration (MBA) graduate can be considered a valuable differentiator.

For Galeno, it is essential to know how to choose the right certification for the right moment in your career. “The certification that is still the most coveted in the area of ​​information security is the CISSP. This certification, however, has a more managerial orientation, indicated for professionals looking for an executive CISO career, since it is It takes more than five years of proven experience in information security to issue the certificate“, he explains.

For young professionals, who are looking for a career as an executive CISO, with a director profile, but are still at the beginning of their careers, Galeno recommends starting with certification CompTIA Security +.

Computia offers in its store a guide material for the Security + test. Photo: Comptia.
Computia offers in its store a guide material for the Security + test. Photograph: Comptia.

The executive also draws attention to the traditional teaching, that although it does not prepare a professional to work with cybersecurity, represents a solid knowledge base, necessary to work with information security.

“Not all companies accept professionals without a traditional degree, college is essential. The knowledge required to act in cybersecurity will hardly be taught in universities, which does not mean that it is not necessary“.


Not all companies have a professional contractor like CISO, but companies that deal with data and care about it, certainly have an information security officer.

It is common for larger companies to have a Chief Security Officer (CSO) as in charge of information security and physical security of the company. In the presence of a CSO, the CISO responds to the CSO. Since CISO is dedicated exclusively to data security.

A CSO also takes care of physical security, while CISO is dedicated exclusively to information security. Photo: Pixinoo via iStock.
A CSO also takes care of physical security, while CISO is dedicated exclusively to information security. Photograph: Pixinoo via iStock.

Another position that is directly related to information security is that of Technology director, in English: Chief Information Officer (CIO), which is also responsible for data security in the absence of a CISO / CSO.

CISO, however, can be hired by larger companies, to be the security manager, just as it can be hired by smaller companies where you will work in a more technical way, together with the operational security team.

It’s amazing how much the scope of a CISO changes, depending on the size of the company. In the market you have since the CISO executive, who leads a team, as there are also companies where CISO acts as a manager and really hands on, in a more operational way “, says Galeno.

Galen explains that technical knowledge is essential for both cases. “If the executive CISO, with a director’s profile, does not have a solid technical base, it can harm the company, spending too much money on staff and security solutions.”

Other indispensable skills, according to him, are that the CISO needs be able to form teams that deliver results and understand that the main thing is the business and the customers. There is no point in having impenetrable security, but a business without functionality. The business needs to work and some security risks must be taken.

“It is essential to keep in mind that the business and the customers, come before cybersecurity. Certain security risks are accepted if the business asks for them to be accepted“, concludes the executive.

See the original post at:

You might also like

More Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.