Chief information security officers (CISOs) need business and communication skills if they are to defend corporate systems effectively, according to IT security leaders interviewed for a Computer Weekly videocast.
The CISOs said an ability to communicate and persuade, as well as an understanding of business drivers, was as valuable as expertise in firewalls, computer viruses and unified threat management software.
Attacks are increasingly aimed at individuals who have access to sensitive data that can be sold by hackers. IT security leaders said many such people are either ignorant of or feel insulated from the higher risk they face, and they are less inclined to follow company guidelines for safe use of their computers, especially when away from the office.
This makes them sitting ducks for organised crime gangs, which are prepared to invest big sums to find the right target and exploit their behaviour to steal or extort money.
Dealing with people at this level requires a delicate touch, said John Meakin, group head of information security at Standard Chartered Bank.
"CISOs generally focus too much on the latest threat because that is sexy technology, and we are bad at explaining what we are about to boards. We need to stay calm, explain the threat and the risks it raises for the business, the steps we plan to mitigate it, and how we expect the threat to change over time.
"That means we have to straddle both the technical and the business sides. Unfortunately, the career path to CISO has little formal recognition and few are guaranteed of getting the right mix of experience," said Meakin.
"You have to be able to communicate with board members in terms that they understand. You have to be able to win people over."
Michael Wilks, chief executive at security company Scyron, said, "The key skillset for the role has centred on technical knowledge, but this is no longer enough. The evolution of the CISO role brings a demand for broader business skills, including accountancy and risk management, not to mention psychology," he said.
Wilks added that his clients, which include 48 UK police forces, overseas law enforcement agencies and businesses, were blending responsibility for both physical and logical security into the one role.
"This is a positive development. Organisations lay themselves open to security vulnerabilities if there is not central control of both physical and information security," he said.
Ant Allan, senior vice-president at analyst firm Gartner, said, "CISOs need management skills to be able to operationalise the security measures their firms must take regularly as a way to reduce the day-to-day cost of IT security."
He warned that CISOs would also have to learn how to get more money from their boards. "Our research shows that firms that have poor information security spend about 3% of their IT budget on security. Most firms spend about 5%, and they will need to spend 7% to 8% to reach excellence," said Allan.