Business skills are key components of any chief information security officer (CISO), says Paul Swarbrick, CISO at aeronautical information service, NATS.
“After 25 years in information assurance, I am convinced that in the modern era that the role is not about technical expertise, but about being a business expert,” he told Computer Weekly.
“The people I stay closest to are the head of internal audit and head of corporate governance,” said Swarbrick.
Technical vulnerabilities, he said, only become a business risk when they are expressed in business terms.
“There is a difference between penetration testing to look for technical vulnerabilties and doing a risk assessment, which is at the business level,” said Swarbrick.
A common problem in many organisations is that the CISO role is ill-defined because there is no consensus around what someone in that role should do.
CISOs in no man's land
“Many CISOs are stuck in a ‘no man’s land’ because of a mismatch in expectations by the business, IT, risk and the CISO themselves,” said Javvad Malik, senior enterprise security analyst at 451 Research.
Another common problem is that the technical people speak one language and the business people, senior management and the board, speak another.
“Part of my job is to be the translator so I can explain the risks associated with business practices or proposed changes to those practices in terms of the technology so the management can understand why it is a risk to them,” said Swarbrick.
The days of the CISO who is simply a very highly-qualified network engineer are over
At the same time, CISOs need to be able identify potential technical problems in proposed business initiatives. Malik said any CISO should strive to have a healthy balance of technical and business skills.
“Part of my job is to talk to the teams tasked with setting up these initiatives to ensure they understand the security requirements that need to be put around that information,” said Swarbrick.
He believes the trend is away from CISOs having a deep depth and breadth of technical knowledge to needing to understand business governance.
“In any business, you have to link security requirements to business requirements, but also the security vulnerabilties and risks to actual business risks,” said Swarbrick.
There is a growing sense that the focus of the CISO role should be business governance rather than information security because security needs cannot be separated from business.
“Every security control you are putting in place should be linked back to a business requirement or a business risk that needs to be addressed,” said Swarbrick.
This, he said, means understanding how things are financed, how things are run and what the organisation does.
“The days of the CISO who is simply a very highly-qualified network engineer are over. Instead we are going to see CISOs that have an understanding of the technology, but a much deeper understanding of the businesses that they work with,” said Swarbrick.
Read more on role of CISO
- CISOs: From no seat to multiple hats
- Lacking privacy laws aid growing CISO role in data privacy management
- Why the role of a CISO can reduce the average cost of a data breach
- Ernie Hayden on the keys for success in the role of CISO
- CISOs key to transition to cloud, says (ISC)2
- CISO role follows evolution of CIO and CFO, according to IBM study
- Why a security conscience is key among CISO responsibilities
A modern CISO needs to have a very close working relationship with the CEO, members of the board and an understanding of the knowledge and experience they themselves bring to the table.
Looking to the future, Swarbrick said UK companies are increasingly embracing a managed services approach to IT and as they increasingly move to the cloud, a lot of infrastructure will fall out of the control of those organisations.
“This means that the skills that were required to maintain these things will become less important, but CISOs are going to have to document and demonstrate what the business’s requirements are third-party contracts are being drawn up and service agreements are being negotiated,” he said.
A time for diplomatic skills
In the coming years, Swarbrick said CISOs are going to be more diplomats and communicators than techies and engineers.
Malik believes CISOs will also align more with the risk function in organisations, either reporting directly to the chief risk officer or becoming one of the roles of the chief risk officer.
In terms of strategies to remain relevant, CISOs need to learn as much as they can about the organisations they work for, said Swarbrick.
“They should spend more time listening than talking, more time understanding what the business does than telling the business what it needs to do,” he said.
Malik said because time is always at a premium, CISOs could hold periodic mini workshops with the IT and security teams to ensure they are up to speed on technology being deployed in the company.
CISO’s should also turn any lack of clarity around their role to their advantage by defining the role in a way that is best-suited to the business, highlighting the need to have business acumen.
“The ability to define a security role that is relevant to the business is a key skill required by any CISO, alongside good communication and leadership skills, which are essential for maintaining good technical team support while they are out being the PR manager for security in the organisation,” he said.
As the CISO role is still immature, he said, CISOs and would-be CISO should look to adjacent markets to see how individuals have risen to the top of their professions and adapt those templates.
Malik is to moderate a panel discussion on CISO skills: Surviving and thriving in the new information security paradigm at Infosecurity Europe 2013 at Earls Court, London 23–25 April.
Speakers on the panel include Swarbrick, Simon Riggs, regional informational security officer for Europe at Bank of America Merrill Lynch and Avtar Sehmbi, head of information security and risk management at Centrica.