The qualities and skills of an effective chief information security officer include strong ethics, professional qualifications and the right experience, says Richard Starnes
It has been my privilege to work with some of the best chief information security officers (CISOs) in the world. I have also worked with a few who are not so great. In a time where there are no guidelines to separate the two, how are we to know? There are some obvious things to look for: education, experience, certification, character and reputation.
Education is a difficult one to judge. Relatively few information security professionals have masters and doctorates in information security. But there is a lot to be said for those with an educational background in business, law enforcement and hard sciences. A masters or doctorate does not automatically guarantee a competent CISO, but it does tell you that someone can complete an extended academic programme and has some research and writing abilities.
Experience is also difficult to judge. The information security discipline is still in its infancy and experienced people are often difficult to find. Many CISOs started out as programmers, systems administrators or network engineers. However, there appears to be a new trend for companies to appoint CISOs from a business, legal or law enforcement background. If this trend is a real one, I find it worrying.
There has been a dangerous management philosophy afoot for some time that managers do not need to have experience of an area to manage it. But ideally, CISOs need to speak the language of information security and translate that into business needs the executives and the board can understand.
As John Meakin, group head of information security at Standard Chartered Bank said, "A good CISO is a person who knows how to, and is prepared to, take infosec risk management judgements on the basis of in-depth business and technology knowledge. If they aren't prepared to take appropriate risks based on that knowledge, then they shouldn't be in the job. Business is all about managed risk."
I was moving up the ranks in the information security profession when industry certifications were starting to take hold. I took and passed the CISSP qualification as part of my career progression. However, some CISOs demand industry qualifications from their staff even when they don't have qualifications themselves. I am not saying that a CISO should be carrying the entire merit badge collection of information security certifications, but would one certificate be asking too much?
Ethics is an area where context, a reasonable knowledge of history and a strict idea of the type of CISO an organisation needs are extremely important. Take two potential candidates. The first says: "In the early 1980s when I was a teenager, I hacked a few sites for fun but never did any damage." At that time, there were few, if any, laws against hacking or programs teaching young people the ethics of using information systems.
The second says: "In the late-80s when I was a teenager, I hacked a few sites for fun but never did any damage." By the late 1980s, Scotland Yard's Computer Crime Unit was fully formed, the Morris worm had hit, the US Congress had passed the Computer Fraud and Abuse Act and parliament was well on its way to passing the Computer Misuse Act. Same actions, but different time frame. Would you hire this person based on either scenario?
A final example: the CISO makes important strategic corporate purchasing and product marketing decisions based on close personal ties with suppliers, not the needs of the company or on sound product testing. Is that acceptable? One would hope that a CISO wouldn't put their employer in that position, but some do. How strong are their ethics?
Lastly, we have reputation. This is a tricky, though important, part of what makes a good CISO. Those in the information security community are acutely aware that business is about trust and reputation. I would argue that a good CISO would have visibility and a good reputation within the information security community. CISOs should also be able to earn the trust and respect of their employees as well as their peers.
This list, like all lists, is incomplete. But this should give you a starting point from which to build a career. Remember, in this business a reputation takes a lifetime to build and seconds to loose.
Richard Starnes is president of the Information Systems Security Association UK
This was first published in November 2005