Sagalov said with the right training and mentoring, “many in IT could move into upper level management.”
And he said personality tests are not foolproof. “Studies have shown that they lack the reliability to predict employee performance, and may even be illegal when used to screen applicants,” he said.
James Christiansen, vice president of information risk management in Optiv’s Office of the CISO, said he is an example of that transformation, with titles like past CISO for General Motors and senior vice president and division head of information security for Visa International on his resume.
He began as a techie and recalled, “digging through a multi-thousand-line hexadecimal printout of an MVS system,” to find the cause of a system failure.
James Christiansen, vice president of information risk management, Optiv’s Office of the CISO
“Years later I am leading thousands of people worldwide and even was founder of a new company,” he said. “The fact that I started in IT as a super techie did not limit my growth.”
But, he admits he had to, “retool myself by gaining management skills, presentation skills and even dressing for the part.”
Michael Wyatt, director, Deloitte Advisory, Cyber Risk Services, said while it is not possible to transform people from one personality type to another, “we have had very good success in raising the awareness of the need to ‘flex’ communication styles.”
Wyatt said the Deloitte lab focuses on what he called the “four faces of the CISO,” which are that of strategist, adviser, guardian and technologist.
He said most CISOs focus on the guardian and technologist roles, since those are the most familiar. But he said the majority of them can grow into the roles of strategist and adviser, through the development of “critical communication skills” – yet another reference to the need of CISOs to be able to “speak the language of business.”
John Lyons, president of ThreatTrack, also believes many CISOs, “have the chops to be strong strategic business advisers.”
But, given the findings of his firm’s survey, he agreed it is a challenge for CISOs to adapt to the boardroom, in large measure because, “cybersecurity, as a separate discipline distinct from IT, is still a relatively new development.”
John Lyons, president, ThreatTrack
That is also the view of Chris Wysopal, cofounder and CTO of Veracode, who said that while people can change and adapt, “it isn’t always easy,” in part because, “the role of the CISO is still fairly new, so much of what makes a good CISO is still being defined.
“If you look at other C-suite roles – CEO, CFO, CMO – these have been established for decades, creating defined paths to success. The CISO has been around for roughly 10 to 15 years, but it didn’t come to prominence until the last few years, and then as a technical role.”
Sign up for CIO Asia eNewsletters.