4 skills CISOs need now
Leading a security program within an organization has taken on a new shape, says career expert Lee J. Kushner. What skills do security professionals need to hone now in order to be competitive in the job market?
By Joan Goodchild , Senior Editor
February 15, 2011 — CSO —
Information security leaders of the future need skills that go beyond security, according to Lee J. Kushner. After several years of maturation, CSOs and CISOs are increasingly finding the word "chief" in their title comes with different expectations than it did when the role first began cropping up in organizations a decade ago.
"Today's CISO will need to build a comprehensive skills matrix that places them on the same level as other senior executives," said Kushner, who will be leading a presentation about CISO skills and careers at RSA this week.
What are those key skills and attributes that companies are searching for now when selecting a CISO? Kushner takes us through the four most important—and advises on how security professionals can acquire them.
Technical knowledge—that connects to business operations
While technical expertise is something a CISO has always needed, Kushner believes strong technical knowledge will remain a cornerstone for the CISO—and also CSO—of the future. In fact, it is this level of knowledge that will broaden the gap and continue to differentiate senior information security leaders, from their counterparts with backgrounds solely in physical security, and make them more attractive in the selection process.
Also see CSO resumes: 5 tips to make yours shine [CSO Insider registration required]
"As enterprises become more reliant on technology to enhance their business, the CISO is going to be required to expand and grow their technical competencies and awareness," said Kushner. "This breadth of knowledge will be a key component in the maintenance of their credibility and establishment of trust with the leadership of core technical functions—including software development, infrastructure, engineering and operations."
This also means a CISO's technical competency needs to span beyond just preparing a company to thwart emerging threats and attacks.
"Instead of thinking about what a widget does and how cool it is, CISOs need to be thinking about 'How is this technology going to affect our business?' said Kushner."What is going to be the impact if we do this with our supply chain, or access management, or mobile apps or whatever it may be."
And as the business begins to evaluate new technologies to aid in their expansion, the CISO will have to help the business understand both the risks and exposure that these new technologies bring on.
"One of the best current examples of this would be the security around tablet technology and mobile devices," said Kushner. "Many organizations are thinking about ways this technology can aid sales, increase productivity, and maximize performance—however the CISO will need to be able to articulate how these new technologies expose the business to risk, and how they need to be implemented correctly to maintain regulatory compliance and adherence to industry standards and frameworks."