For any current or wannabe chief information security officer (CISO), the phrase “may you live in interesting times” has likely taken on a highly personal meaning. As Robert F. Kennedy once remarked, “Like it or not, we live in interesting times. They are times of danger and uncertainty; but they are also more open to creative energy than any other time in history.”
This is quite an accurate summary of the contemporary CISO’s situation. Information technology (IT) has recently enabled more creative and transformational opportunities for businesses than perhaps in any other time in history. At the same time, IT has enabled entirely new levels of security-related risk and uncertainty.
With this in mind, what sort of experience and skills do today’s CISOs — and the CISOs of tomorrow — need to have?
As a foundation, remember that the single most important focus for CISOs today is relevance, meaning they must be connected with and valued by the organization they support. These two attributes actually point at some of the most important skills for today’s CISO, but we’ll come back to that later.
A Tale (Actually, a Retail) of Two CISO Candidates
First, let’s conduct a simple thought experiment. You have just been put in charge of hiring the executive to be in charge of the information security function at a large discount retailer. Here are two hypothetical candidates:
Candidate No. 1: A 20-year industry and company veteran with limited technical experience
- Has an undergraduate degree in retail merchandising
- Has a master’s degree in business administration
- Started with the company as an assistant buyer
- Left the company and later rejoined to run its call centers
- Promoted from within to oversee all technology services, including corporate systems, guest systems, supply chain systems, IT services, website/digital assets, data warehouse, business intelligence, software quality and software testing
Candidate No. 2: A 20-year industry veteran with limited industry experience
- Has an undergraduate degree in computer studies
- Worked two years as a programmer analyst for a technology consulting firm
- Spent one year as a network systems engineer for a high-tech vendor
- Worked two years as a global services systems engineer for a high-tech vendor
- Worked 11 years in multiple security and compliance roles (including CISO) in an unrelated industry
- Spent two years as CISO in an unrelated industry
You’re in charge. Which background do you think would more likely help the person hired to be your CISO to connect with and add value to the organization? Deep industry and company experience with lighter technical skills? Or an outsider to the industry and to the company with deep technical skills and functional experience?
The right answer, of course, is that there is no right answer; there are many factors involved in selecting the right C-level executive for any given organization. In the particular real-world case upon which this hypothetical example is loosely based, however, the role was originally held by Candidate No. 1, who was subsequently replaced by Candidate No. 2 in the aftermath of a significant security breach. Experience shows that in “interesting times,” it’s very common for the pendulum to swing hard from one direction to the other, especially at the senior leadership level.
Emerging CISO Candidates: The Business-Oriented Technologist and the Tech-Savvy Businessperson
In the IBM Center for Applied Insights report titled “A New Standard for Security Leaders,” conversations with 41 current information security leaders surfaced some of the following consistent advice for achieving success as a CISO:
- Have a strong security strategy and policy
- Maintain comprehensive and holistic risk management
- Keep effective relations with business leaders
- Make concerted communications efforts
These four ideas effectively echo the previous point about relevance: The last two are about connecting with the organization, and the first two are about adding value. Perhaps the overarching theme is that the next generation of security leaders needs to bridge the gap between technology and business.
The IBM report drives this home in a subtle way when it notes that “security leaders believe these activities are increasingly important as they build on their technology competencies and expand their business acumen.”
This is a general statement, but it matches with experience: Most current security leaders tend to be technical people who are working to add business skills as opposed to the other way around.
The Future CISO: 10 Distinguishing Characteristics
One vision for the skills and experience needed by the next-generation chief information security officer is an ongoing transition to servant-leadership containing the 10 characteristics described by Larry C. Spears. In a slightly modified summary and regrouping of these 10 characteristics, servant-leaders are distinguished as excellent when they are:
- Communicators, with the ability to listen, empathize, heal divisions and persuade/build consensus
- Strategists, with strengths in awareness, conceptualization and forward thinking
- Builders, with a commitment to stewardship, growth of people and growth of the community
Today’s security leaders have already started to recognize that “the skills that got them there were not the skills that are enough to keep them there,” as a wise colleague once observed. Continued progress down this path will result in even greater relevance to their respective organizations.
VP & Research Fellow, IT Security and IT GRC, Aberdeen Group