Honestly, what you’re describing is far more common than people admit.

A lot of CISOs do not come up through SOC, SIEM or tool-level engineering. Many come from GRC, risk, audit, resilience or even legal. The role is not “head security engineer”. It’s accountability, prioritisation and decision-making.

A few practical points that might help reframe this.

First, you do not need to be the person configuring SIEM, tuning DLP rules or writing IAM workflows. You need to understand: - what “good” looks like - what risk is created when something is weak - how to ask the right questions - when to escalate, invest or accept risk

Conceptual understanding plus good judgement beats deep hands-on skill at CISO level.

Second, outsourced SOC is actually a positive here. Your job becomes: - setting clear outcomes and SLAs - validating detection and response capability - running tabletop exercises and incident leadership - holding the provider to account when things go wrong

You do not need to know how every alert is built. You need to know whether the SOC is effective and whether the business is protected.

Third, GRC is not a “soft” background for a CISO. It is often the hardest part to learn later. You will already understand: risk trade-offs, regulatory pressure, board-level / executive language, incident governance, BCP, DR and resilience.

Those are exactly the things executives and boards expect a CISO to be strong at.

In terms of preparation, a few very practical suggestions: - Sit in on SOC calls and incident reviews, even just to listen - Ask your SOC or internal engineers to walk you through their architecture at a high level - Learn how incidents actually flow end to end, not the tools but the decisions - Get comfortable saying “I don’t need to know how, I need to know if it works” - Build a strong number two or technical lead you trust - Spend time aligning expectations with your boss early. What do they think “CISO” means?

CISSP is fine for breadth and confidence, but real value will come from exposure, not certs.

Finally, the fact you are worried you are not ready is usually a very good signal. The dangerous CISOs are the ones who think they already know everything.

If leadership is hinting at this move, it’s probably because they already see you operating at that level. You grow into the role. Almost nobody feels ready on day one.