Skills you think a CISO should have?

I want your opinion on what you think a Chief Information Security Officer (CISO) should know/have in terms of experience, knowledge, skills, education, etc.

There is no right or wrong answer, and I'll share my own answer in a bit.

The reason I ask this is because I see so many odd opinions on LinkedIn with regards to what a CISO need to know/be. I've seen bizarre things like a CISO should be a certain gender or has to come from law enforcement or other nonsense, so let's have a healthy discussion on the skills and knowledge/experience that makes up great CISOs

Find more posts tagged with

CISO

Comments

PC509

A good technical background, obviously. So they aren't buying into the synergy of the layer 8 firewall appliance that some sales guy tells them about. Knowing what certain things do, who/what you're protecting the place from (insiders, intentional or unintentional vs. outsiders, etc.).

But, also a strong business background, possibly with an MBA (or some business degree). Many decisions are based on the needs of the business. You could spend a ton of money on a problem and it'll work. You could also see that it wouldn't help the business one bit (risk management as well as actual business needs). It is also huge in talking with other executives, most of which don't speak the technical jargon. They want to know how it will affect their bottom line and how it does benefit the business (or minimize the harm done if there is significant risk and they are breached in case they do nothing). Having a bit of accounting knowledge helps a lot, too. Will that layer 9 synergestic firewall content filtering cloud based appliance have a good ROI, or will it just be another thing for your guys to manage without really doing anything? Being the liaison between the technical teams and the management teams.

Gender? Nope. Law enforcement? Nah, but a bit of that kind of knowledge does help out.

Just my thoughts, anyway. Probably a lot I missed or got wrong, but those are what I'd like to see in a CISO. Well rounded, good with technical stuff but focused on the business.

stryder144

I ran an exercise with some of my students a few years back and we looked up the desired skills and one entry seemed like a decent, balanced set: an MBA and an M.Sci. Business and technical folded into one. I would add a strong understanding of the regulatory landscape for the industry they are in (or plan to be in).

LonerVamp

I'll start with the "easiest" one: technical skills enough to know when someone is not giving you good advice or direction. And enough to be able to understand your company's position, generalities, and environment so you can talk to the right people, give them the right information, and get useful information back. I would even say this means having experience dealing with audit, regulations, and security frameworks moreso than being hands-on-keyboard in a SOC or something. Also, the CISO needs to know when someone is talking to them confidently, but incorrectly. Too often, someone who doesn't know they don't know what they're talking about will throw entire companies into a tailspin when upper management listens to them and gets fooled. Know enough to avoid this, and lean on your deeply technical folks in the trenches. Be able to identify them and cultivate trust. Also, you can't just send everyone who asks you a question to your help desk or star players; you need enough to address it and pass on what needs to be. Too many conversations end up not being actionable things and someone just wanting to know a little bit more about controls on A or security's stance on B.

Business acumen to understand the business drivers and desires. This also includes being able to understand what drives the other C-levels and how to speak their speak. This often comes from an MBA pursuit. The things that impress technical people in meetings do not impress upper management, and vice versa. Combine this with the above technical skills so that you can translate what the worker bees are telling everyone to language the C-levels or board understand.

Social skills. This may be the most important one, I suspect. A CISO needs to own initiatives and work those political conversations with every level to get things done, to get eyeballs into meetings, to get included/involved in other projects. This should also include managerial experience dealing with a wide range of direct reports and their problems. Almost everything a CISO does will slow down other projects/people or create some measure of additional work for projects/people.

Project skills enough to lean on those who are truly managing the projects and keep them on task to properly report upward. Not understanding how projects work or how to manage them means that CISO likely is themselves one of the challenges to getting projects done.

Self-awareness to know that you and your department are a cost center looking to keep the business running smoother and lowering risk. And if you're large enough, keeping other C-levels out of lawsuits and jail time. Essentially, know your place, but also be a master of your place.

That's my quick take anyway...

JDMurray

The number one skill needed by any C-level executive is team building. CISO capability has a degree of scale depending on the size of the business. A CISO successfully controlling a 1000-employee company may not have near the capability and understanding necessary to perform the same for a 100K-associate enterprise. A CISO can't possibly have all the knowledge and expertise to do everything business- and security-related. The size of the team needed to support an enterprise CISO is much, much larger than the medium-sized-business CISO. The enterprise CISO may have much more in-house experience while the small potatoes CISO will need more external expertise. Regardless, the CISO will need the skill to build a team with the expertise and capability for their business situation.

LonerVamp

JDMurray said:

The number one skill needed by any C-level executive is team building.

I think that is a succinct way to put it. +1!

UnixGuy

I agree with all the above. I'm glad there is sanity in here! I wish all CISOs and CIOs had those skills you talk about