The qualities and skills of an effective chief information
security officer include strong ethics, professional qualifications
and the right experience, says Richard Starnes
It has been my privilege to work with some of the best chief
information security officers (CISOs) in the world. I have also
worked with a few who are not so great. In a time where there are
no guidelines to separate the two, how are we to know? There are
some obvious things to look for: education, experience,
certification, character and reputation.
Education is a difficult one to judge. Relatively few
information security professionals have masters and doctorates in
information security. But there is a lot to be said for those with
an educational background in business, law enforcement and hard
sciences. A masters or doctorate does not automatically guarantee a
competent CISO, but it does tell you that someone can complete an
extended academic programme and has some research and writing
abilities.
Experience is also difficult to judge. The information security
discipline is still in its infancy and experienced people are often
difficult to find. Many CISOs started out as programmers, systems
administrators or network engineers. However, there appears to be a
new trend for companies to appoint CISOs from a business, legal or
law enforcement background. If this trend is a real one, I find it
worrying.
There has been a dangerous management philosophy afoot for some
time that managers do not need to have experience of an area to
manage it. But ideally, CISOs need to speak the language of
information security and translate that into business needs the
executives and the board can understand.
As John Meakin, group head of information security at Standard
Chartered Bank said, "A good CISO is a person who knows how to, and
is prepared to, take infosec risk management judgements on the
basis of in-depth business and technology knowledge. If they aren't
prepared to take appropriate risks based on that knowledge, then
they shouldn't be in the job. Business is all about managed
risk."
I was moving up the ranks in the information security profession
when industry certifications were starting to take hold. I took and
passed the CISSP qualification as part of my career progression.
However, some CISOs demand industry qualifications from their staff
even when they don't have qualifications themselves. I am not
saying that a CISO should be carrying the entire merit badge
collection of information security certifications, but would one
certificate be asking too much?
Ethics is an area where context, a reasonable knowledge of
history and a strict idea of the type of CISO an organisation needs
are extremely important. Take two potential candidates. The first
says: "In the early 1980s when I was a teenager, I hacked a few
sites for fun but never did any damage." At that time, there were
few, if any, laws against hacking or programs teaching young people
the ethics of using information systems.
The second says: "In the late-80s when I was a teenager, I
hacked a few sites for fun but never did any damage." By the late
1980s, Scotland Yard's Computer Crime Unit was fully formed, the
Morris worm had hit, the US Congress had passed the Computer Fraud
and Abuse Act and parliament was well on its way to passing the
Computer Misuse Act. Same actions, but different time frame. Would
you hire this person based on either scenario?
A final example: the CISO makes important strategic corporate
purchasing and product marketing decisions based on close personal
ties with suppliers, not the needs of the company or on sound
product testing. Is that acceptable? One would hope that a CISO
wouldn't put their employer in that position, but some do. How
strong are their ethics?
Lastly, we have reputation. This is a tricky, though important,
part of what makes a good CISO. Those in the information security
community are acutely aware that business is about trust and
reputation. I would argue that a good CISO would have visibility
and a good reputation within the information security community.
CISOs should also be able to earn the trust and respect of their
employees as well as their peers.
This list, like all lists, is incomplete. But this should give
you a starting point from which to build a career. Remember, in
this business a reputation takes a lifetime to build and seconds to
loose.
Richard Starnes is president of the Information Systems
Security Association UK