Do you need IT experience to be a successful CISO?
The CISO Challenge of having the right skills
This blog continues the series of articles about what the Chief Information Security Officer should do, be and have. These blogs aim to provide an answer to the many challenges CISOs face on a daily basis. The results are obtained through interviews with CISOs. This blog provides an answer on what experience and skills the CISO needs to effectively manage information security.
Noah Brandwijk - 22 June 2017
The expectations of the business
The responsibilities of the CISO (Chief Information Security Officer) keep evolving. As the responsibilities of the CISO continue to evolve, so do the expectations of the business. Various good studies highlight what the CISO needs to do to meet business expectations. Yet, these studies don’t identify the experience necessary for the CISO to learn the right skills to be able to do these things. Therefore it is still unclear what experience is necessary to meet business expectations.
The evolving CISO role
In the past decade the CISO is urged be more and more of a business enabler instead of an IT expert. By being more of a business oriented leader, a CISO can better deliver and communicate security value. On account of this change, the CISO needs to be able to tailor security to the needs of the business. Moreover, the CISO needs to contribute to the business goals of the organization (See the previous blog on the CISO Challenges). The CISO must be able to translate complex security risks into understandable business risks.
However this change causes the CISO to move away from IT and future CISO’s may no longer possess IT experience. However, according to our CISO Challenge research, the CISO still needs to possess IT knowledge. Moreover, whether the CISO possesses IT knowledge is crucial to the success of the future CISO. In order to effectively translate a complex risk the CISO needs experience of both IT and the business.
The experience the CISO needs
You could argue that the CISO can attain lacking expertise through hiring. However the CISO should be able to evaluate advice and security strategy in order to effectively align security with the business. In order to align security to the business the CISO must understand the IT and the business of the organization.
For example, if the CISO possesses business experience the CISO will be able to effectively communicate business impact and more importantly business value. Yet in order to understand and communicate business impact, the CISO must know the impact from an IT point of view. Additionally in order to evaluate security advice and strategy, the CISO must understand the IT landscape of the organization. Otherwise, the CISO tailors security only to the business goals, but fails to shape security to the IT of the organization. This lack of knowledge can mean that no security change is ever achieved, since the controls don’t fit the IT landscape of the organization.
The benefit for security
By tailoring security to the needs of the business and the IT landscape, the CISO can meet the expectations of the business. Thus, gaining the CISO support needed to secure budget and drive security initiatives. The CISO doesn’t require hands-on IT experience, but the CISO should have a firm understanding of how IT works. I personally believe that the change of the CISO from an IT expert to a business enabler is vital to the success of the CISO. Nonetheless, the CISO does still need IT experience to be successful. Instead of being a technologist, the CISO now requires to be a tech savvy business enabler.
The CISO Challenge series
The CISO Challenges series explores how a CISO can approach the challenges of today. The former CISO Challenge highlighted effective communication of value. Future challenges will be about what a new CISO should do first in order to establish him/herself in the organization. These challenges contain input from CISOs and reflect the current situation of cyber security.
More information on Chief Information Security Officer Challenges?
Do you want to know more on CISO Challenges? Please contact Noah Brandwijk at +31 (0)88 2885250.