A post over on CSOOnline, “How the CISO role is evolving,” goes over some interesting discussion points about the CISO role.
I initially targeted my notes on the list of skills for the CISO:
- Security operations
- Cyberrisk and cyber intelligence
- Data loss and fraud prevention
- Security architecture
- Identity and access management
- Program management
- Investigations and forensics
Holy cow, is there anything in Infosec left untouched there? Then again, CISO is the top of that leadership pyramid, right? But, this illustrates to me how difficult the CISO’s job will be if they do not report into or next to the IT overall organization. Reporting outside of IT means lots of consulting and ultimately audit-like tasking that hopes all of the above items end up getting done (and likely won’t be). And I’ve yet to see IT auditing being even partially effective or useful.
Later in the article, it starts to get real about the most important job requirement for a CISO role not necessarily being the technical understanding. I think it’s true that at this level, a key skill is “advocating for security within the company leadership.”
I think leadership traits are also important, but that’s always a funny thing within any department, team, or organization. Particularly in a technical field. At least for me, technical credibility is a key trait of leaders I respect and react positively towards. Someone who does not understand the technical aspects and demonstrates this by being wrong on a regular basis, just do not get respected by me and will not be a good leader for me. And it’s not like I need them to be highly technical; but I need them to be technical enough to know and be open about their limitations, and big enough to allow others to fill in the gaps. Leaders who get technical things wrong, don’t understand that they’re wrong, and thus never seek information from their team in order to make proper decisions, are what cause security to take steps backwards.
And it’s not just me, but many technical teams will stop listening to security if the people they interact with are regularly wrong, or vague, or confusing, or belligerent, or just not keeping up. Technical people who know the right answer don’t tolerate people who cling to wrong answers.
Another way to say this is the CISO needs to know enough to know their team is performing as needed, or if they need assistance.