For any current or wannabe chief information security officer (CISO), the phrase “may you live in interesting times” has likely taken on a highly personal meaning. As Robert F. Kennedy once remarked, “Like it or not, we live in interesting times. They are times of danger and uncertainty; but they are also more open to creative energy than any other time in history.”

This is quite an accurate summary of the contemporary CISO’s situation. Information technology (IT) has recently enabled more creative and transformational opportunities for businesses than perhaps in any other time in history. At the same time, IT has enabled entirely new levels of security-related risk and uncertainty.

With this in mind, what sort of experience and skills do today’s CISOs — and the CISOs of tomorrow — need to have?

As a foundation, remember that the single most important focus for CISOs today is relevance, meaning they must be connected with and valued by the organization they support. These two attributes actually point at some of the most important skills for today’s CISO, but we’ll come back to that later.

A Tale (Actually, a Retail) of Two CISO Candidates

First, let’s conduct a simple thought experiment. You have just been put in charge of hiring the executive to be in charge of the information security function at a large discount retailer. Here are two hypothetical candidates:

Candidate No. 1: A 20-year industry and company veteran with limited technical experience

  • Has an undergraduate degree in retail merchandising
  • Has a master’s degree in business administration
  • Started with the company as an assistant buyer
  • Left the company and later rejoined to run its call centers
  • Promoted from within to oversee all technology services, including corporate systems, guest systems, supply chain systems, IT services, website/digital assets, data warehouse, business intelligence, software quality and software testing

Candidate No. 2: A 20-year industry veteran with limited industry experience

  • Has an undergraduate degree in computer studies
  • Worked two years as a programmer analyst for a technology consulting firm
  • Spent one year as a network systems engineer for a high-tech vendor
  • Worked two years as a global services systems engineer for a high-tech vendor
  • Worked 11 years in multiple security and compliance roles (including CISO) in an unrelated industry
  • Spent two years as CISO in an unrelated industry

You’re in charge. Which background do you think would more likely help the person hired to be your CISO to connect with and add value to the organization? Deep industry and company experience with lighter technical skills? Or an outsider to the industry and to the company with deep technical skills and functional experience?

The right answer, of course, is that there is no right answer; there are many factors involved in selecting the right C-level executive for any given organization. In the particular real-world case upon which this hypothetical example is loosely based, however, the role was originally held by Candidate No. 1, who was subsequently replaced by Candidate No. 2 in the aftermath of a significant security breach. Experience shows that in “interesting times,” it’s very common for the pendulum to swing hard from one direction to the other, especially at the senior leadership level.

Emerging CISO Candidates: The Business-Oriented Technologist and the Tech-Savvy Businessperson

In the IBM Center for Applied Insights report titled “A New Standard for Security Leaders,” conversations with 41 current information security leaders surfaced some of the following consistent advice for achieving success as a CISO:

  • Have a strong security strategy and policy
  • Maintain comprehensive and holistic risk management
  • Keep effective relations with business leaders
  • Make concerted communications efforts

These four ideas effectively echo the previous point about relevance: The last two are about connecting with the organization, and the first two are about adding value. Perhaps the overarching theme is that the next generation of security leaders needs to bridge the gap between technology and business.

The IBM report drives this home in a subtle way when it notes that “security leaders believe these activities are increasingly important as they build on their technology competencies and expand their business acumen.”

This is a general statement, but it matches with experience: Most current security leaders tend to be technical people who are working to add business skills as opposed to the other way around.

The Future CISO: 10 Distinguishing Characteristics

One vision for the skills and experience needed by the next-generation chief information security officer is an ongoing transition to servant-leadership containing the 10 characteristics described by Larry C. Spears. In a slightly modified summary and regrouping of these 10 characteristics, servant-leaders are distinguished as excellent when they are:

  • Communicators, with the ability to listen, empathize, heal divisions and persuade/build consensus
  • Strategists, with strengths in awareness, conceptualization and forward thinking
  • Builders, with a commitment to stewardship, growth of people and growth of the community

Today’s security leaders have already started to recognize that “the skills that got them there were not the skills that are enough to keep them there,” as a wise colleague once observed. Continued progress down this path will result in even greater relevance to their respective organizations.

More from CISO

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read