How to Become a CISO in 2026: The Complete Career Roadmap

The definitive guide from someone who has done it and, helped hundreds of others do the same.

Let me be straight with you.

Most “how to become a CISO” guides are written by people who have never been a CISO. They recycle the same generic advice — get your CISSP, build your network, develop your soft skills — without ever telling you what it actually takes to land the role, survive the first 90 days, or build the kind of career that takes you from a help desk in Australia to advising NATO in Ankara.

I didn’t plan to become a CISO. I started in IT, moved into security because it was the most interesting problem in the room, and spent years building technical depth before I thought seriously about leadership. When I eventually found myself managing teams at Microsoft, then running cybersecurity across 23 countries as Regional CISO at Standard Chartered Bank, then serving as CISO at Morgan State University — I realised that most of what I needed for that journey wasn’t written down anywhere useful.

This guide is what I wish someone had given me.

What a CISO Actually Does in 2026

Before we talk about how to become one, let’s talk about what the role actually is — because the gap between the job description and the reality is enormous.

The CISO of 2026 is not primarily a technical role. It stopped being primarily technical around 2018, and any organisation still treating it that way is already behind. Today’s CISO is a business executive who understands technology deeply. Your primary stakeholders are not your security team — they are the CEO, the board, the CFO, and your peer executives. Your primary deliverable is not a secure network — it is confident, quantified, business-aligned risk management.

When I was at Standard Chartered, my week looked nothing like what most security professionals imagine. More time in stakeholder meetings than in front of a security dashboard. Budget negotiations. Regulatory engagement across 23 central banks. Commercial conversations where security was a deal-enabler or a deal-killer depending on how I showed up. The technical decisions largely belonged to my team. My job was to create the conditions for them to make good ones , and then translate the outcomes into language a board in Dubai or Karachi could act on.

That is the job. And it changes everything about how you should prepare for it.

If you spend the next five years becoming a better penetration tester, you will not become a better CISO candidate. If you spend those years becoming a better business communicator, a stronger risk manager, and a more credible executive presence you will.

The Three Phases of the CISO Journey

The path from security professional to CISO follows a consistent pattern. The timeline varies — I’ve seen people get there in 12 years, others in 20 — but the phases are remarkably consistent.

Phase 1 — Technical Foundation (Years 1-5)

You cannot skip this. The CISO’s authority comes partly from track record, partly from relationships, but also from credibility as someone who has actually done the work. Your security team will know whether you have or not. And a CISO who cannot credibly engage with technical decisions loses the respect of the people they need most.

During this phase, your priority is breadth over depth. You want enough working knowledge across enough domains that you can engage intelligently on any topic network security, endpoint protection, incident response, identity and access management, cloud security. You don’t need to be the best penetration tester in the room. You need to understand what the best penetration tester is telling you and why it matters.

What I did in this phase: I took the harder assignments. I volunteered for incident response. I got involved in architecture decisions above my grade not out of ambition but curiosity. That curiosity is what built the foundation.

Get your CISSP. Not because it makes you dramatically better at security, it won’t, but because it signals to hiring managers that you have the breadth to operate at a senior level. It is the most recognised security credential globally and it opens doors that other certifications don’t.

Phase 2 — Leadership Development (Years 5-10)

This is where most technical security professionals plateau, and it is the most common reason talented people never reach the CISO seat. The transition from technical expert to security leader requires a fundamental shift in how you define your own value.

In Phase 1, your value came from what you could personally do. In Phase 2, your value comes from what you enable others to do. This sounds simple and is profoundly difficult in practice. Many security professionals never make this shift spending their entire careers as excellent individual contributors who wonder why they keep getting passed over for senior roles.

The leadership development phase has two equally important tracks. The first is formal security management experience — roles like Security Manager, Security Architect, Deputy CISO, or Head of Security Operations. You need to manage budgets, manage people, manage stakeholder relationships. There is no shortcut here. The second track is business acumen development, and this is where most technical people are most exposed.

Business acumen means understanding how companies make money, how boards think about priorities, how CFOs evaluate investment decisions. You develop this by deliberately seeking out cross-functional experience working closely with finance, operations, legal, and commercial teams. By reading annual reports, not just security news. By understanding your organisation’s competitive position well enough to explain how your security programme supports it.

When I joined Microsoft as a Cybersecurity Architect, I made a point of spending time with account teams and sales leadership. Not talking about security listening to their commercial pressures. That investment paid dividends for years. I could walk into a client boardroom and frame security in terms of their business problems, not my security agenda.

The certifications that matter here shift accordingly. CISM is explicitly a management and governance qualification. ISO 27001 Lead Implementer demonstrates you can run a standards-aligned programme. CRISC builds the risk management fluency that boards increasingly demand.

Phase 3 — Executive Readiness (Years 10+)

By the time you are ready for the CISO seat, the role should feel like a natural extension of what you are already doing. If it feels like a dramatic leap, you likely have one more phase of development ahead.

Executive readiness means several things. You can present to a board without notes and hold the room. You can build and defend a multi-million-dollar budget against a sophisticated CFO. You have managed a serious incident and made good decisions under pressure. And you have a point of view on security strategy that is genuinely your own shaped by your experience, your thinking, and your judgement — not just a recitation of frameworks.

This is also when personal brand starts to matter more than most people expect. CISOs are hired significantly on reputation — what people say about you in rooms you are not in, what your writing says about your thinking, what your speaking record says about your ability to represent an organisation. If nobody outside your current employer has heard of you, your candidacy for a major CISO role will be limited to your immediate network.

I started speaking at conferences early, writing when I had something worth saying, and engaging in industry conversations that had nothing to do with my current employer. That consistency over years is what eventually led to Black Hat, Gartner, Microsoft Ignite, NATO — and every other platform that has extended my reach and my impact.

The Certifications That Actually Matter

Let me give you the honest version, not the vendor-sponsored one.

Certifications are signals. They tell hiring managers you have a baseline of knowledge and the discipline to prepare for a rigorous exam. They are not a substitute for experience, and experienced hiring managers know this. A candidate with a CISSP and three years of genuine experience will beat a candidate with eight certifications and no real-world depth every time.

With that said, here are the certifications with the highest signal value for a CISO career:

Early career: CompTIA Security+ establishes baseline credibility. CEH demonstrates the offensive security mindset every defender benefits from you cannot effectively protect what you don’t understand how to attack.

Mid career: CISSP is effectively mandatory for senior security roles in most large organisations. CISM complements it well where CISSP is broad and technical, CISM is explicitly focused on management and governance. ISO 27001 Lead Implementer is increasingly valuable as compliance demands grow.

Senior level: CCISO from EC-Council is specifically designed for the CISO role and covers the business, governance, and leadership dimensions other certifications miss. CRISC adds significant value in heavily regulated environments. Cloud certifications AWS Security Specialty, Azure Security Engineer — signal currency with modern infrastructure.

I have nearly 100 certifications. I am not recommending this path. For most aspiring CISOs, six to eight strategically chosen certifications across the right domains will serve you far better. Choose certifications that fill genuine knowledge gaps, not ones that look impressive on a wall.

Building the Business Acumen Boards Actually Demand

This is the section most CISO career guides skip entirely. It is also where most technical security professionals are most underprepared.

The board doesn’t speak security. They speak revenue, profitability, shareholder value, regulatory liability, reputational risk, and competitive advantage. If you walk into a board meeting and talk about CVE scores and patch percentages, you have already lost the room.

At Standard Chartered, I was reporting to boards across the Middle East, Africa, and Pakistan — many of which had never had a cybersecurity-specific conversation before. Walking in with a technical briefing would have been worse than useless. I had to frame every security decision in terms of what it meant for the bank’s licence to operate, its ability to expand into new markets, and its exposure to regulatory action.

Here is what actually develops this ability. Spend time with your CFO — not asking for budget, but genuinely learning how they think about investment and return. Ask them what keeps them up at night about the business. Listen more than you talk. Learn to quantify cyber risk in financial terms. A CISO who can tell the board “our identity programme reduces our annualised loss expectancy by $3.2M at a programme cost of $800K — a 4x return” will always get their budget. A CISO who asks for the same budget because “we need to improve our security posture” will fight for it every cycle.

Read the annual reports of companies in your sector — not just your own employer, but competitors and customers. Understanding the business pressures facing organisations in your industry makes you a dramatically more effective security advisor. When a sales leader is trying to close a $10M enterprise deal and the customer’s security team is blocking it over data handling concerns, your CISO either becomes a dealmaker or a deal-killer. Know which one you want to be.

The First 90 Days in the Seat

Getting the CISO role is only the first challenge. What you do in your first 90 days defines your credibility and effectiveness for years.

Do not try to fix everything at once. This is the most common mistake new CISOs make, particularly those arriving from strong technical backgrounds. In your first 90 days, your primary job is to listen, learn, and build relationships — not to implement your security vision.

Days 1-30: Understand the business and the landscape. Read every available document — annual reports, board presentations, previous security assessments, incident history. Meet every senior stakeholder. Ask them all the same question: “What do you wish the security team did differently?” The answers will tell you more about where to focus than any technical tool.

Days 30-60: Conduct your own assessment of the security programme. Do not rely entirely on what you have been told — verify independently. Look at the actual state of controls, not the documented state. Identify your top three to five risks with enough rigour that you can defend them to a sceptical board. This becomes the foundation of your strategy.

Days 60-90: Develop and socialise your 12-month roadmap. Present it to your CEO and key stakeholders before any formal presentation — you want feedback and buy-in before you go public. Changes that would be welcomed from a trusted insider are resisted from a new face who has not yet earned the right to be heard.

One more thing: in your first week, ask your CISO predecessor what they would have done differently. If they’re gone, ask the people who worked most closely with them. The candid answer to that question is usually the most important intelligence you will collect in your entire onboarding.

Who Should NOT Become a CISO

This is a question worth asking honestly, and most guides don’t ask it at all.

If you are not genuinely comfortable making decisions with incomplete information under time pressure — this role will break you. Security incidents don’t wait for all the facts to be assembled. You will regularly need to make calls that affect the entire organisation based on what you know right now, with full awareness that you might be wrong.

If you resist accountability for outcomes you cannot fully control — find a different track. You will be held responsible for breaches that originate in a vendor’s system, in a user’s behaviour, in a zero-day that nobody could have anticipated. The CISO role carries accountability that extends well beyond your span of control. That is simply the nature of the job.

And if you cannot genuinely find joy in the human side of leadership — building teams, developing people, managing the messy reality of organisations — the technical parts of the CISO role will not compensate. The security strategy is important. The team that executes it is everything.

What Separates Good CISOs From Great Ones

After 25 years and exposure to security leaders across six continents, the difference between good and great consistently comes down to a handful of factors that have nothing to do with technical skill.

Communication ruthlessness. Great CISOs are obsessed with clarity. They can explain any concept to any audience without jargon. They know that the most technically correct answer is worthless if nobody can act on it.

Risk courage. There is a real difference between surfacing risk information and making risk recommendations. Boards don’t need a CISO to list the risks — they need one to tell them what to do. Great CISOs put their professional judgement on the line. They don’t hide behind frameworks when a decision needs to be made.

Team investment. Your team is your single biggest multiplier. The CISOs who build the most enduring programmes are relentless talent developers. They hire for potential as much as current skill. They mentor deliberately. They build environments where exceptional people want to grow their careers.

Resilience. This job carries weight that most people don’t see from the outside. You are accountable for things you cannot fully control. You carry the knowledge that a failure on your watch could cost people their jobs, their data, their privacy. The CISOs who last and thrive have the ability to process that pressure, learn from setbacks, and come back stronger. That resilience is not innate for most people — it is developed deliberately over time.

A Non-Negotiable on Reporting Structure

The Reporting Structure Question — Why It Matters More Than You Think. Let me be careful here, because this is nuanced.

The ideal CISO reporting structure is a direct line to the CEO with independent access to the board. Full stop. In that structure, when security priorities conflict with technology delivery priorities — and they will — those conflicts get resolved at the right level, by the right people, with the right authority.

The reality? Many CISOs today, including some of the most effective ones I know, report to a CIO. And it can work — if the CIO genuinely champions security, understands cyber risk as a business risk rather than an IT cost, and gives the CISO the independence and access they need to do the job properly.

The problem is not the reporting line itself. The problem is a CIO who views cybersecurity as subordinate to delivery timelines, who filters security escalations before they reach the board, or who treats the CISO as a technical function rather than a strategic one. In those environments the CISO’s effectiveness is structurally limited — not because of their capability, but because of where governance sits.

So here is my honest advice: before you accept any CISO role, ask these questions regardless of who you report to.

Do I have direct access to the board or audit committee without going through my manager? Can I escalate a critical security risk to the CEO or board independently if I need to? Does the organisation’s leadership genuinely treat cybersecurity as a business risk rather than an IT problem? Is there a clear mandate for security to have a voice in major business decisions?

If the answers are yes — the reporting line matters less than you might think. If the answers are no — the reporting line is the least of your problems.

The goal is not a specific org chart position. The goal is genuine influence at the level where risk decisions are actually made. Fight for that, regardless of what the structure looks like on paper.

What CISO Compensation Actually Looks Like in 2026

Most guides avoid this. Let’s not.

As of 2026, CISO base salaries in major markets range from $180,000–$220,000 for mid-market organisations to $400,000–$600,000+ for large enterprise and financial services roles. Total compensation including equity and bonuses frequently pushes well above these ranges.

The factors that drive compensation upward consistently: regulated industry (financial services, healthcare, defence), large and complex organisations, significant cloud footprint, post-breach remediation roles, and a demonstrable track record of building mature security programmes from the ground up.

The factors that limit it: narrow technical focus without business leadership experience, weak board communication skills, and lack of external visibility in the industry.

Your Action Plan — Start Today

The path to CISO is long, and the single best thing you can do is start now rather than when you feel ready. You will never feel fully ready. That is true of every CISO I have ever known, including on the day they started their most challenging role.

If you are in your first five years: Get your CISSP within two years. Build genuine hands-on experience across multiple security domains. Start reading business news alongside security news. Develop the habit of understanding the business context of every security decision you make.

If you are in years five to ten: Make the leadership transition deliberately. Seek out management responsibility even when it is uncomfortable. Build cross-functional relationships outside your team. Start writing and speaking — even at small venues, even imperfectly. Develop your authentic point of view on security strategy.

If you are approaching executive readiness: Invest in your visibility. Speak at conferences. Engage with peer CISO communities like the Global CISO Forum. Build the external reputation that makes you a compelling candidate when the right role emerges.

At every stage: find people who have already walked the path and ask for their time. Most senior security leaders are more accessible than you might think. One honest conversation with someone who has done the job is worth more than any course or certification.

The CISO role is one of the most challenging and most meaningful executive positions in modern business. It sits at the intersection of technology, business strategy, law, psychology, and geopolitics. It matters in ways that are immediate and measurable — and sometimes literally life-critical.

If this is the path you want, commit to it fully. The seat is waiting. Go earn it.

Dr. Erdal Ozkaya is the Strategic CISO at Morgan State University, author of 26 cybersecurity books, Microsoft MVP 2009–2025, NATO Cybersecurity Advisor, and President of the Global CISO Forum. Download his free CISO Toolkit — governance templates, playbooks and frameworks used by enterprise CISOs globally.

[embedded content]

Zero Trust in the Real World: A CISO’s Guide to Getting it Done

Quantum Safe Security: What CISOs Need to Know Now (Before It’s Too Late)

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts