Ever since its inception in the late 1990s, the CISO job has tended to be a very technical job. The CISO would likely report to the CIO and have a varied background as a system or network administrator, or perhaps as a security analyst in a security operations center (SOC). Almost all CISOs were male, with either experience in computer science or perhaps as a senior manager in the military.
However, this traditional view of the job has shifted in more recent years thanks not only to workforce diversification, but also to a growing desire for security to be more aligned with business interests.
As a result, today you’ll find male and female CISOs, from all backgrounds, offering a variety of skills and experiences. They may not be all CISSP qualified, but they know how to project manage, communicate, and to build a business case for information security.
Some of these next-generation CISOs have come from areas you wouldn’t necessarily associate with infosec, such as psychology, sociology and law.
However, the job is not an easy ride, despite the lucrative salary. The job responsibilities are ever increasing, the hours are long, and failure around any security incident almost always results in dismissal.
“The role of CISO continues to evolve in that the expectation now is that the CISO not only be security savvy, but also technically adept and business aware,” says Becky Pinkard, director of the security operations center at British publishing house Pearson. “The right CISO is the ultimate weapon in the resource arsenal against cyber-security issues.”
Neil Thacker, information security and strategy officer at web security software vendor Websense, believes that businesses will increasingly look for this person from other lines of business.
“New CISOs originate from other areas of the business areas already aligned to risk,” he told CSO Online. “Fewer will originate from an audit and compliance background but a closer understanding of legislation, governance and ultimately risk is important with a necessary skillset to demonstrate understanding in this area.
“The traditional route to the role of CISO may also continue with technical, consultant and adviser skills all considered as a good background to the role.”
Board buy-in still a problem
Cisco’s Annual Security Report last year suggested that CISOs are out of step with their own security teams, while other studies have raised serious concerns about the supply chain and incident response capabilities. Meanwhile, age-old problems like IT-led reporting lines and getting board buy-in continue to fester – showing that the job continues to have many challenges.
Nic Wells, CISO at UK bus company Arriva, says that some businesses still view the CISO as “purely an IT role” which “should not be involved in other business functions”. He admits that his biggest challenge is “demonstrating the value of information security and good risk management in financial terms to the business”.
Sign up for CIO Asia eNewsletters.