COMMENTARY: Now that top management has been calling for chief information security officers (CISOs) to emphasize business strategy and risk management over technical leadership, the route to the top cybersecurity role will face some significant changes in the coming years.
While companies will always want to place a smart technical person in the hot seat who has learned the business ropes along the way, the changes in enterprise expectations for CISOs will inevitably impact who's recruited to the role.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
If the board seeks more business leadership from the CISO then it makes sense that companies will hire candidates who have followed a business career path as opposed to a technical one. Many within the security community see the writing on the wall here: a recent poll among information security professionals showed that the plurality of them—47% -- believe the CISO role has already becoming less technical today.
Other research backs up this gut reaction from security pros out in the field. According to recent research from IANS, the majority of CISOs – 76% -- have followed a technical career path with a minor focus on risk-focused functional areas. But almost 25% of CISOs followed a primarily non-technical route on their way to their current position. Now, some of the likeliest alternative backgrounds are security-adjacent career paths such as governance, risk and compliance (GRC) and audit and risk. Approximately 22% reported their experience fell into those risk and compliance functional areas. Just a 2% sliver of them came from outside any kind of technical or risk background.
I think that in the coming years this “other” category will grow as more boards demand that CISOs bring deeper business awareness and experience to the table. As this happens, we'll see the pedigree of the typical CISO start to shift. In addition to drawing more audit and risk professionals to the table, the following alternative experience tracks could start to emerge on CISO resumes:
- Legal: With regulatory and litigation landscapes around cybersecurity and breach incidents growing more complex, modern CISOs are called to collaborate more closely with legal departments more than ever. At some companies a legal background along with some relevant security industry expertise could make sense for the CISO position.
- Product management: The Secure by Design mandates led by CISA and the broader cybersecurity community will drive more movement at the top of the executive food chain for embedding security into product roadmaps and planning. Companies with heavy engineering or product development missions will want CISOs with product management experience.
- Vendor management: With third-party risk management and software supply chain security growing in importance within the discipline of cybersecurity, many companies with complicated vendor relationships may start to draw cybersecurity leadership from the vendor management side of the house.
- Accounting: Late last year the Association of International Certified Public Accountants rolled out new rules that will have prospective CPAs choosing one of three major specializations to train in as a part of their certification. Cybersecurity was one of those three, which means in the coming years we'll see a host of new cyber accountants hit the workforce. With further on-the-job training, these disciplined, detail-oriented individuals will emerge as prime candidates for CISO positions sometime down the road.
- Business operations: Ops folks can work cross-functionally across the business, how to speak the bottom-line-oriented language of business, and how to manage people. These are the most essential skills for the modern CISO and are arguably harder to train in leaders than security fundamentals. Putting mid-career business operations people on some lower-level security job rotations could prove a fruitful way to build up future CISO candidates.
Ultimately, the data and the zeitgeist shows that enterprises are moving toward CISOs who are team builders. They don't necessarily have technical experience themselves, but they must know how to manage technical people and communicate clearly with the rest of the business. A shift in pedigree may be just what many organizations need to deliver those leadership skills to the top security executive role. A shift in background could also have some very significant side benefits as well: namely, it could help alleviate the CISO diversity problem.
The most recent numbers show that 90% of CISOs are men, and 65% are white. Casting a broader net across different business disciplines could help attract a broader range of qualified business leaders who could change the makeup of the CISO pool. This could affect not just a shift in the numbers, but also change the cultural and philosophical mindset of the role. Bringing in a more diverse set of folks could heighten the chances of filling the role with more flexible thinkers who can balance the technical basics with the more difficult collaborative requirements of security work.
Bob Ackerman, founder and managing director, AllegisCyber Capital
Editor’s Note: This is the second of three Monday morning columns on the changing role of the CISO.
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
