Technical Expertise

The Chief Information Security Officer CISO can't live in an ivory tower. Every CISO must have an in-depth understanding of cybersecurity threats and the technical skills required on their team to mitigate them. The increased threat exposure (internal and external) to critical private enterprise data, as well as the growing complexities of IT architectures, require a CISO leader who can both conceptualize and lead technical strategies and the planned response to information security breaches. Highly requested technical skills by employers include:

• DNS, routing, authentication, VPN, and DDOS mitigation technologies
• Security architecture development
• Tablet and mobile software risk exposure
• Disaster recovery planning
• Network security and firewall management
• Identity management
• Digital forensics

Business Acumen

In our 2014 Pace Morgan Leadership Roundtable in San Diego, both medium and large US-based clients have stated that business skills are on the top of the list of “must-haves” for the CISO role. According to hiring managers who attended,  the Chief Information Security Officer must deeply understand the business impact of such breaches in order to make appropriate strategic and budget recommendations.

In addition, a September 2015 article in the Wall Street Journal “Make Way for a New ‘C’ at the Table” and several Gartner group research studies, business skillsets are seen as more important than pure technical skills. CISOs are supposed to be able extensively explain these risks to business leadership as well as provide best answers to mitigate that risk. According to Pace Morgan Sr. Partner, Stephen Pace:

“ Since the beginning of 2014 CISO responsibilities have been redefined. Now employers expect the CISO to go into a board meeting and clearly articulate the legal and financial risks as they see them, and explain it succinctly without too much technical jargon.”

Negotiation and Presentation Skills

CISOs, now more than ever, need to meet the technical and business requirements of their employer. In this “bridge” role they are put in a split position to analyze, develop, and present, strategies to business leaders, and at the same time their own software and network infrastructure teams. To bring both sides together effectively, the CISO must be an effortless negotiator to motivate others to come to agreement and make decisions to move forward..

Understanding of Legal Exposure

In the early 2000’s there was not much talk of cybersecurity. Generally it was limited to passwords and authentication schemes and biometric readers. But that all changed in recent years with attacks on Sony, the IRS, Target, and famously, Ashly Madison. Examples of compliance areas to be well informed on include HIPAA and FISMA. To be an effective Chief Information Security Officer, you must be keenly aware of the legal ramifications of data breaches and their financial impact to the company. You must be able to ensure with the actions of your team that legislative compliance and the procedures you put in place were followed 100% of the time. The risks of being fined millions for security breaches of financial data are daunting, especially if the vulnerability exercised was known and should have been dealt with in your protection schema.

Summary

When we are asked by information security practitioners “How do I get a leadership role” we offer the same advice to everyone. Do an honest gap analysis of your experiences and knowledge to see where you need to build, both on the business as well as the technical side.

Being strong technically is not enough anymore. It may take some time to develop these skills, but the benefits of that increased business knowledge and presentation skills will take you far. Remember: The competition is getting tougher for this new role, and you need to have all the skills listed above to get the top job.