A quick InfoWorld article on the traits of a good CISO. The tagline says some of these traits are surprising (or that maybe deep technical knowledge being lower is surprising), but I’m personally not surprised by this at all. I think the technical knowledge is related to making informed decisions, knowing what information is needed to make informed decisions, and in being a good mentor. Other traits are a good moral compass and the ability to take the blame. I really like the mention of taking blame, since it is so hard to admit being wrong or just taking the blame for someone else. We’re not trained that way as kids with school and report cards and everything else. We’re questioned by adults (parents) until we make up some excuse or blame someone else.
Oops, that turned into a ramble.
In reading your post I think you are confusing the roll of CISO and that of middle management. Or only seeing it from the view of small to medium sized businesses. (one line of business and less than 1,000 employees) In those cases the CISOs wear many hats.
All C-band leaders have to trust their direct reports (VPs, AVPs, Directors, Managers) to supply them clear and concise technical data from operations. If he can’t, he needs to get rid of them and get people he can trust.
From the data a CISO receives, he can make strategic decisions. This leaves the operational decisions to the SMEs.
CISOs need to focus on securing the company for new endeavors that the company is growing into. Dealing with new legislation. Negotiations for acquisitions and mergers. Not the commands needed to cascade firewall policies across the enterprise.
…my soap box rant.