With information being the currency of the 21st century, having the right person in the executive role of managing the security of this business asset is paramount. A Chief Information Security Officer’s (CISO) role calls for someone who can bridge their technical skills with a clear understanding of business needs and knowledge.
Yet, the precise job requirements and tangible outputs demanded of a CISO remain relatively unclear to many senior executives. Many companies approach finding a CISO the wrong way, choosing either a manager/executive who has no information security grounding or a solely technical person who can only discuss firewalls and IDSs and doesn’t understand the business and greater environment. Let's expand on these two classifications and introduce a third - the hybrid CISO.
The non-techie but business-savvy CISO
This type of individual often has very little or no grounding in any information security discipline. However, he/she is a political animal who understands the value of diplomacy.
This individual does not adequately understand threats, risk and consequential impacts and has a huge dependency on his/her team. In addition this individual will often end up purchasing unnecessary and expensive technology that may not address what is truly needed.
The technically competent but less business-articulate CISO
This individual has normally progressed from being a very technical engineer or programmer and, by virtue of being around long enough, has been crowned the chief or head of information security. He/She, in most cases, does not understand the managerial approaches and political manoeuvring. In many cases, this individual is convinced that the latest and greatest tool, software or hardware is the panacea for all information security risk.
Enter the hybrid CISO
Articulate in business-speak, technically aware, politically astute and comfortable with both management and technical skills, the hybrid CISO is the only type that can understand the technical threats, risk and impacts whilst at the same time have the ability to effectively communicate, present and manage board-level challenges.
Apart from experience, this individual should also hold one or more industry certifications, such as the CISM, CRISC or CISSP; possess knowledge of ISO standards (e.g., ISO 27001) and business frameworks for IT, such as COBIT 5; and possess awareness of PCI and DPA standards.
It is true that this is not always an easy-to-find candidate, but it is worth taking your time in the hiring process. A hybrid CISO who can transition between technical and business realms with ease may be the ideal one to help the organisation to survive and thrive in the digital world.
Amar Singh is a member of the ISACA London Chapter Security Advisory Group and the Chief Information Security Officer of a multinational company. ISACA is exhibiting at Infosecurity Europe 2013, the No. 1 industry event in Europe held on 23rd – 25th April 2013 at the prestigious venue of Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk