What ‘qualifies’ a CISO?

The Chief Information Security Officer or CISO is becoming a role with ever increasing importance across the globe. With an ongoing cyber skill shortage and salaries that can reach up to $400,000 according to Forbes, the CISO role is a highly sought after position. Many organizations are scrambling to bolster their information security programs and to spear-head the effort a CISO or equivalent is usually engaged. But what makes someone qualified for the role?

After the recent Equifax breach many criticized the former CISO because she had little technical background and was a music major at university. Let’s be realistic here, I’ve met many capable and highly respected executives who have degrees that don’t match or align with their job roles, so this isn’t a very good test of capability and ability to do their job. In fact, I know many people across many industries (including security and technology) who don’t even have degrees, but are well respected experts in their field.

So how does an organization hire a CISO and what makes them qualified? The New York Department of Financial Services (NYDFS) released its cyber security regulations only a few months ago and part of the regulation was to appoint a ‘qualified’ CISO. However, there was no other definition or metric of what constitutes ‘qualified’. Not ideal, but as I see it, there are two areas that need to be addressed in order to determine if someone is qualified; education and experience.

“A qualified person is officially recognized as being trained and possessing the required skill to perform a particular role.”

Education

There are a myriad of courses and certifications for information security management. The well-known certifications such as Certified Information Security Manager (CISM) from ISACA, Certified Information Systems Security Professional (CISSP and CISSP-ISSMP) from ISC2, and Certified Chief Information Security Officer (C|CISO) from EC-Council all have merit in helping to educate and qualify a person.

All the mentioned certifications have experience requirements and are validated by the corresponding certification body, but is it enough? Given that many CISOs are pushing for a seat on the board or to report directly through to the CFO or CEO, should a business degree such as an MBA or equivalent training also be mandatory?

Experience

I can’t stress the importance of experience enough when it comes to determining if a CISO qualifies for the role. Security is such a broad area with many moving parts. At a minimum, the role encompasses the need for technical know-how, risk management, people management, program management, project management, and business acumen. There is no single course that I’m aware of that can provide all the required knowledge and skills and there really is no substitute for experience.

It would be expected that a CISO has experience in many different domains and possesses the necessary soft-skills to put it altogether and deliver the security program. Although a deep technical understanding of technologies likely isn’t critical, a high level understanding is. This understanding and experience will help demonstrate value and allow effective communication among all stakeholders and personnel.

The Framework Approach

A question that comes up from time to time is: how can experience be measured? While simply listing out what experiences is needed, the ability to benchmark it is useful. One way to assess experience is to take a framework approach. As an example, the Skills Framework for the Information Age version 6 (SFIA V6) can be used to measure the skills an individual has and determine if they are suitable for a particular role. SFIA is high level and backed by the UK government, it is also increasing in popularity around the globe; the Australian Computer Society (ACS) have leveraged SFIA for a number of years.

SFIA uses levels of responsibility from 1 to 6 for each skill and subsequently those scores are used to determine the skills a professional has and what roles are suitable. A CISO would mostly fall into level 6 with some level 5 skills. These levels are focused on accountability, influence and complexity, and also include a level of business skill knowledge.

What about the CSO?

Finally, if we take a broader view and look at CSO roles (where responsibility is for security across the enterprise, not just information related security), the stakes are even higher as is the experience requirement. This makes it very difficult to define what requisite education and experience is required. Ultimately, trying to find someone with strong experience across all domains could be quite difficult if not impossible. This is especially true if the candidate hasn’t had a CSO role before.

Final thoughts

Ensuring the right person is in the CISO role is critical for a successful security program. Factors such as education, experience and cultural fit must be taken into account when determining if a particular candidate is both qualified and suitable for the role. Because the role is fairly new it can be difficult to find candidates that tick all the boxes or have experience across all the necessary domains. In cases like this determining the primary duties and ensuring the candidate meets those requirements, and then determining whether the candidate has the ability to fulfill the remaining areas opposed to demonstrated experience may need to be relied on.