The role of the CISO has shifted dramatically in the past ten years. Almost 20 years ago, in the early years of the information security officer role, the person who filled that position was focused on the very basics of security: antivirus, firewalls, and file system access control. At the time, there were no data security laws like HIPAA, no industry standards such as PCI or NERC, and no best practices such as NIST 800-53 or COBIT. There was just a small community, almost invariably culled from the ranks of IT. And for many years, they were all functioning as appendages to IT—sometimes lucky enough to report directly to the CIO, but more often than not, relegated to a position that had a limited opportunity to give advice and lots of hands-on activity, but little ability to actually affect policy.
Fast-forward to today, and the stakes are so much higher. Waves of data breaches have resulted in security mandates across the entire spectrum of data. Attackers are now recognized for the broad spectrum they actually represent, including coordinated global groups, organized crime syndicates, and nation states. While we continue to see attacks increase, we still adopt more technology that exposes us to risk, from mobile devices, to cloud services, to the adoption of Internet connectivity for every possible appliance, car, and device. Security tools today are a lot more advanced than they were back then, but they have not been keeping pace with those on the other side.
For the CISO, this change has resulted in a more active role. Today it's rarer to find a CISO that reports to a CIO than it is to find one who reports to the CEO. Independence from IT is an absolute requirement for the modern information security officer, just as independence is required between the CFO and a financial auditor, a valuable lesson we learned from SOX, which also has implications for information security. Additionally, the CISO role is now one of a trusted advisor to the business as a whole, not just to technology. Sure, technology provides the tools that produce, process, store, and transmit business data, but to the CISO, the technology itself is much less important than the business processes it supports.
So, with all these changes in profile and function, what skills does the CISO need to thrive in today's environment? One of the most critical capabilities is simply the ability to understand the business much more intimately than his or her predecessors. Business drives the need for technology, and so security must be focused on how data is used within those business functions, across the end-to-end spectrum. Without a solid understanding of what the organization does, and how it makes money, an information security officer is going to have a fundamental disconnect with what's needed to protect the enterprise.
Another key skill, particularly with the adoption of outsourced services (think cloud) is the ability to understand the security impacts of contracts. A good CISO should be a trusted adviser not only for IT contracts, but for every other contract the organization signs, as well. For many organizations, business partner agreements rely on an exchange of proprietary data; the CISO must have visibility into these contracts during negotiations—not after the ink is dry—and must be able to identify potential risks and threats. Good language comprehension skills, coupled with a good relationship with the legal department, is critical.
Of course, that's not to suggest that technical skills don't still have an important place with the modern information security officer. The ability to identify new and emerging threats—as well as the available technologies to counter them—is still a fundamental job requirement. But as time goes on, the ability to be able to think and operate independently, as well as to become a trusted advisor to the business, will only continue to grow.