Cyberspace is now the primary medium for revenue generation for most online-savvy organizations, and it is responsible for billions of dollars of commerce and revenue growth. A significant majority of goods and services are being bought and sold on the internet, across the globe. Whereas, earlier, e-commerce was only prolific in the West, today China and other nations in Africa and Asia are also seeing significant commerce in cyberspace.
Yet, cyberspace remains an immensely hostile realm for the modern organization. It’s a digital landscape where hackers, pirates, criminal gangs and even national cyber-armies swagger around with impunity – a landscape where the actions of these criminals can, in extreme cases, destroy whole companies and, in most instances, cause severe reputational and financial damage to even the most resilient of organizations.
Given that cyberspace is set to become omnipotent, having the right individual in the executive role of leading an organization and managing these challenges is paramount. Despite these obvious challenges, the requirements and tangible outputs demanded of this executive remain relatively debatable.
The majority of organizations, unaware of the complexities of information security domains, approach this recruitment as a relatively simple exercise. Some will chose a manager or team leader type who has experience in managing people. In some cases he/she may know an odd technical term or two. On the other side of the hiring spectrum, recruiters rely solely on technical expertise and assume that a tech-savvy individual will know enough of the trade to fight off hackers.
Neither of these approaches will target the right type of individual. What is required is a person who can transparently and seamlessly bridge both technical and commercial domains. A techie and a political animal, this chief information security officer (CISO) must be a leader who can lead from the front: a hybrid CISO.
Allow me to explain and expand on all three executive classes, and why the hybrid CISO is the best person for the job.
The non-techie, but business-savvy CISO: This type often has very little or no grounding in any information security discipline. However, he/she is a political animal who understands the value of diplomacy. This individual will often end up purchasing unnecessary and expensive technology, solutions or services that may not address business requirements. Often hailing from a managerial or team leader background, this type of executive carries several preconceived views of what constitutes security.
They believe the hiring, monitoring and managing of experts for the team satisfies upper management’s requirement that security is ‘well managed’. In addition, this individual is often unable to adequately understand threats, risk and consequential impacts of the ever-complicated happenings in cyberspace. Their reliance and faith in experts makes matters more complicated as, often, these experts themselves foster a single myopic view of the world.
The technically competent, but less business-articulate CISO: This individual has often progressed from being a deeply technical engineer or programmer and, by virtue of being around long enough, has been crowned the chief. This type of executive often refuses to, or is unable to dabble much in managerial tasks, and in most cases they do not understand the managerial approaches for political maneuvering. This fear of the unknown leads to the executive getting over involved in technical deliberations rather than focusing on the overall business problem at hand. As a result, this individual becomes convinced that the latest and greatest tool – software or hardware – is the panacea for all information security risks.
In addition, this individual often loses the respect of senior executives by constantly referring to technical solutions when presented with business problems, and as a result often ends up becoming another techie, albeit senior, rather than the executive.
Furthermore, trusting an organization’s online reputation with a technically competent but business-deficient executive is fraught with danger, as technical mastery is often wrongly linked with defense supremacy. Few battles have been won without equal mastery in both strategic planning and diplomacy.
The hybrid CISO: Communicative and articulate in business-speak, technically competent, politically astute and comfortable with both management and technical skills. The hybrid CISO is the only type that can understand the technical threats, risks and impacts facing the organization, while at the same time having the ability to effectively communicate and manage board-level challenges.
The broad shoulders of a hybrid CISO require them to deal with an extremely wide variety of technical and business requirements fired from all corners of a business. This can be anything from a PCI compliance issue, managing cloud security, risk management, and ensuring data privacy, to dealing with folks in legal and HR and maintaining meaningful business key performance indicators (KPIs). The ability to deal with auditors, both internal and external, is all part of a regular day’s duty for the hybrid CISO.
To safely trek the growing and perilous cyberspace requires the leadership of a visionary, a thinker, a leader, a doer and, importantly, an experienced hiker. It requires a hybrid CISO.
If asked for a realistic job description, I would summarize the role of a CISO as:
Urgent requirement for a C-level executive who must be able to produce and then lead the organization’s cybersecurity strategy through internet’s choppy, malware infested waters and ensure that the organization retains all its e-commerce and information completely intact before and after docking. This executive must, if required, be able to fight internet’s pirates in hand-to-hand combat while having the acumen, intelligence and business sense to represent the organization’s interests at executive board meetings and other business gatherings.
This executive is expected to know about PCI, SOX, IS0 27001, COBIT and risk management, audit, business continuity while being aware of TCP/IP, network security, secure software development, VPNs, mobile security, hacking techniques, database security, log management, access and authorization, email security and let’s not forget, awareness of encryption algorithms.
Finally, this executive must be of the highest integrity as he/she will, from time to time, be privy to some of the most sensitive commercial information and lead highly sensitive forensic investigations.
We expect this individual to deal with the techies and executives, and lead the organization’s information security direction. Apart from experience and abilities, this individual should ideally hold one or more industry certifications, such as the Certified Ethical Hacker (CEH), SANS certificates, the CISM, CRISC or CISSP; possess knowledge of ISO standards (e.g., ISO 27001) and business frameworks for IT, such as COBIT 5; and possess awareness of PCI and DPA standards.
This is not always an easy-to-find candidate, but it is worth taking your time in the hiring process. A hybrid CISO who can transition between technical and business realms with ease may be the ideal one to help an organization survive and thrive in the digital world.
Amar Singh, CISSP, is a member of the ISACA London Chapter Security Advisory Group and CISO of News International.