Manage Learn to apply best practices and optimize your operations.

IT security chief adds business aptitude to CISO skills

Jeff Haskill, the IT security chief at AstraZeneca, is, according to his boss, “a very technical CISO.” Dave Smoley, CIO at the U.K.-based pharmaceutical manufacturer, praised Haskill for his technological background, which includes nitty-gritty IT work and cybersecurity.

While reporting on the collaboration between CIO and CISO and its impact on AstraZeneca’s efforts to move huge tracts of its IT operations to the cloud, I asked Haskill whether he agreed with Smoley. Were his CISO skills technical skills?

“I’ve done about all on the IT side,” said Haskill, who also runs the IT infrastructure team. He was a software developer, worked on servers and installed large networks. He’s also grounded in forensics and many IT security areas.

“The thing is that you can’t stop there,” he said. “You’ve got to go ahead and understand what the business wants.”

Understanding that is key to an IT strategy designed to encourage scientific innovation and business growth at AstraZeneca, Haskill said. It’s also part of a larger trend: Business skills like communication and policymaking are becoming essential CISO skills.

Candy Alexander, a former CISO and independent consultant, said there are still more technical CISOs out there than business-minded ones, but the role in general is “morphing more into a business partner,” much like the CIO role.

The challenge for CISOs today, Alexander said, is they “have to keep feet in both worlds” — understanding deeply technical issues regarding cybersecurity and IT architecture and the often political and contractual language of business.

Haskill faces the challenge by handing a lot of the technical aspects he oversees over to “people that are obviously a lot smarter than I am” — namely, his security operations, networks and infrastructure teams — so he can focus on business needs.

But having solid knowledge of those issues, however — knowing how cybersecurity fits into the company’s compliance with industry regulations, for example — makes him “more well-rounded” and allows him to relay critical messages to business leaders.

“My ultimate goal is to be able to go in and show complex items, especially in the cyber world, to board members, to our senior leadership, so they understand,” he said. “So they can go ahead and make the appropriate decisions for the business.”