Before we get to the answer to the question posed in the title, let’s look at the typical job responsibilities of a CISO:
- Setting the Vision and Strategy – A CISO is responsible for setting the information security program, setting the program’s vision and the strategy to achieve that vision.
- Security Operations – In most organizations a CISO is responsible for the security operations of the organization, which covers the security tools and techniques as well as responding to any security incident and breaches. In this era, a next-gen CISO is also responsible for gathering the threat intelligence based on the threats and techniques used by malicious actors.
- Governance and Compliance – It is also important to set the team that is responsible for the organization to be able to comply with any regulatory/compliance mandates. These mandates are based on the industry in which the organization does business (e.g., if an organization processes/transmits/stores credit card information the organization has to comply with PCI; if an organization deals with patient health data that organization has to comply with HIPAA, if an organization hosts its customer data, they may go for SOC compliance; an organization that wants to develop an information security program can start with ISO 27001/2 series of International security standards, etc.). The CISO has oversight of setting/writing security policies and standards for the organization.
- Security Awareness and Training – The office of the CISO is responsible for educating the workforce on what security best practices should be followed, what security threats are in the wild, performing phishing campaigns and educating workforce members who fall for phishing campaigns.
- Risk Management – Understanding business problems and evaluating the security risks associated with new business initiatives and projects is squarely in the CISO’s purview.
- Business Continuity and Physical Security – In some organizations, the office of the CISO is responsible for business continuity/disaster recovery, as well as the physical security of the organization. In these organizations, the CISO title is replaced by the CSO (Chief Security Officer) title.
- Regular updates to the C-suite and the Board – The status of the information security program, metrics, reporting, opportunities and challenges should be addressed and updated on a routine basis
In these complicated times and with a limited budget, the CISO cannot offload the responsibility of setting the vision and strategy to a staff member.
The CISO needs to know technology and technical jargon. In the current era, with a shifting attack surface, breaches, tactics, techniques and procedures, it really helps CISOs if they have the associated or required technical knowledge to understand and adopt the technical controls, tools and technologies used to mitigate the related risks. If a CISO is a technical person, they can talk technical terms with a technical audience.
On the other hand, a CISO also has to understand the business objectives of the organization and thus needs to have a business mindset. The CISO must talk in risk-based language with the C-suite and the board to translate technical jargon into business language.
Hence, a techno-business (or mix of both business and technical) CISO would be the ideal candidate for the organization. These are the next-gen CISOs.
The icing on the cake is if the next-gen CISO is a hands-on person who can roll up his/her sleeves and help the team if it is stuck with a technical issue.
It is much more doable for a technical person to understand the business problem, but difficult for a businessperson to understand a technical problem. Therefore, it is critical for the next-gen CISO to understand technical issues and help the business resolve those issues in terms/language/lingo the business will understand and be able to relate to.
Welcome to this new era and prepare yourself to be a next-gen CISO!