Since the announcement of the Equifax breach and the reporting that their CISO's educational background was in music, there's been quite a bit of discussion around what makes someone qualified to be a Chief Information Security Officer (CISO). As the CTO providing leadership to the CISO at Ping, I wanted to share our perspective on the qualities and ingredients of an excellent security leader and considering October is National Cyber Security Awareness Month, this seems like the right time to do it.
Here's what a highly effective CISO is made of:
A risk-management mindset that ensures precious resources are applied to the highest risk areas--not only the loudest and most visible ones
A strategic approach to implementing security in the organization over time--embedding security as a core part of every business function
A deep understanding of what makes the organization successful--the CISO needs to speak the language of the business
Strong relationships throughout the organization--a strong CISO ensures that security is integrated at various levels
The ability to develop, recruit and retain world-class talent--developing the next generation of security leaders ensures continuity
A strong understanding of the fundamentals of each key function of the security department:
So, what's the right educational background for a CISO?
There's no right answer for this. Great security leaders come from both highly technical and non-technical educational backgrounds, and sometimes they don't even have a post-secondary educational background. The critical step for any company is to identify where their greatest needs lie and hire the right leader for them, then surround that leader with those who will make her/him effective.