Chief information security officers (CISOs) need
business and communication skills if they are to defend corporate
systems effectively, according to IT security leaders interviewed
for aComputer Weekly
videocast.
The CISOs said an ability to communicate and persuade, as well
as an understanding of business drivers, was as valuable as
expertise in firewalls, computer viruses and unified threat
management software.
Attacks are increasingly aimed at individuals who have access to
sensitive data that can be sold by
hackers. IT security leaders said many such people are either
ignorant of or feel insulated from the higher risk they face, and
they are less inclined to follow company guidelines for safe use of
their computers, especially when away from the office.
This makes them sitting ducks for organised crime gangs, which
are prepared to invest big sums to find the right target and
exploit their behaviour to steal or extort money.
Dealing with people at this level requires a delicate touch,
said John Meakin, group head of information security at
Standard Chartered Bank.
"CISOs generally focus too much on the latest threat because
that is sexy technology, and we are bad at explaining what we are
about to boards. We need to stay calm, explain the threat and the
risks it raises for the business, the steps we plan to mitigate it,
and how we expect the threat to change over time.
"That means we have to straddle both the technical and the
business sides. Unfortunately, the career path to CISO has little
formal recognition and few are guaranteed of getting the right mix
of experience," said Meakin.
"You have to be able to communicate with board members in terms
that they understand. You have to be able to win people over."
Michael Wilks, chief executive at security company Scyron, said,
"The key skillset for the role has centred on technical knowledge,
but this is no longer enough. The evolution of the CISO role brings
a demand for broader business skills, including accountancy and
risk management, not to mention psychology," he said.
Wilks added that his clients, which include 48 UK police forces,
overseas law enforcement agencies and businesses, were blending
responsibility for both physical and logical security into the one
role.
"This is a positive development. Organisations lay themselves
open to security vulnerabilities if there is not central control of
both physical and information security," he said.
Ant Allan, senior vice-president at analyst firm Gartner, said,
"CISOs need management skills to be able to operationalise the
security measures their firms must take regularly as a way to
reduce the day-to-day cost of IT security."
He warned that CISOs would also have to learn how to get more
money from their boards. "Our research shows that firms that have
poor information security spend about 3% of their IT budget on
security. Most firms spend about 5%, and they will need to spend 7%
to 8% to reach excellence," said Allan.