You're a CISO at a retail chain, making a quarterly update to the board of directors. You tell a roomful of somber...
faces about Kerberos protocol and a spate of DDoS attacks. You end by asking for more money to buy cloud access security brokers and other information security tools.
"They're going to look at you and say, 'What the heck did you just say?'" said Candy Alexander, a former CISO and independent cybersecurity consultant.
The need for an executive who can forge an information security strategy is more important than ever. Cloud and mobile computing have challenged the very notion of a security perimeter -- and hackers are getting bolder and more innovative. But organizations often puzzle over the skills and experience they should be looking for on a CISO job candidate's resume, unsure whether they'd be more secure with a policymaking businessperson or a buzzword-spouting techie.
Alexander says the right pick depends on the organization doing the hiring. A CISO with lots of technology credentials may have a hard time getting other executives or board members at retail, insurance or healthcare companies to understand that information security risk is business risk. But at software development, say, or biomedical companies, where the latest technology is the product, "you can actually use the terms, the technologies that they'll understand so they're more apt to be receptive to that message."
Company culture and the CISO job
George Do agrees. He's the CISO at Equinix, a Redwood City, Calif., company that leases data center space to organizations worldwide. To him, the infosec chief needs to be a good fit for the organization.
"You can't hire a 30-year FBI, hard-core government security leader guy and throw him in the middle of Facebook," Do said. The culture shock -- different technologies, business requirements, communication norms -- would be too much.
Do lays out the information security and risk management strategy at Equinix and manages a number of teams that carry it all out. He said his skills tend toward the business end of the spectrum.
"We're a company that's trying to accomplish a mission, and it's not all about just meeting everything that's written in a book," he said, referring to the fine line Equinix walks between security and innovation. "We have to balance that with what our customers need and are asking for."
The great communicator
But Do believes the model CISO would have both technical and business skills -- sort of a Renaissance executive. So does Johna Till Johnson, CEO and founder of Nemertes Research. A CISO needs a solid technical background to understand what the threats are, what tools to use to guard against those threats and how to respond should they break through the barriers.
"We used to joke 20 years ago that this was the beads-and-sandals hippie type who'd wander into a meeting and talk argle-bargle and end up with 'No, you can't do that' and walk out," Johnson said. "And that's no longer the role."
Now, the CISO needs to be the human being behind a company's security initiative -- the executive communicating to the board of directors and other execs that if company data isn't being protected, it's his or her job that's on the line.
The CISO needs to be a good enough communicator to deliver the message to customers as well, Johnson said. That's especially important at a time when high-profile companies are finding that they've been hacked -- and made headlines.
"Obviously if you're Target, you aren't necessarily going to put the CISO out in every Target store talking to customers," she said. "But you should be communicating however you can on a regular basis to your customers."
And that won't work unless it's done in plain-spoken language. Though cybersecurity literacy has gone way up in recent years, Johnson said -- "you don't have to explain anymore what phishing is" -- customers might not have a lot of patience for tech talk.
Divide and conquer?
There are signs of a split in the CISO job, though. Johnson's research outfit Nemertes recently completed a survey of 17 companies about their cybersecurity practices and found that a small number of them divvied up the position: one exec in charge of security policy and one for technology.
Johnson asked those companies why. The skills were different, they said. The big-picture, policy exec just wasn't the detailed technology exec. And it was a way to separate duties.
"The policy person can set the policy and validate that policy is being enforced, but someone else needs to execute it," Johnson said in a webinar presenting the research.
Does that mean organizations should start clearing a corner office for a chief information security technology officer?
The trend is nascent, Johnson said, and it might not work for every organization. If a workplace is collegial, it can work. If it's intensely political and people are stepping over one another for promotions, "you're better off having one human and giving him or her all the power," she said. "And that's kind of a sensitive thing. You can't say, 'Hey, if your organization is political [do this],' because everybody says the organization is nonpolitical."
The CISO's boss: Who do you love?
Flexibility a must for security professionals
CISOs gird for growing number of threats