@jerry In my opinion, this was missing a level in between. I think you can see, by the weights of answers, that people agree that business and its processes are important but so is technical.
I’d say “deep technical roots/background” is important. It doesn’t need to be current or hands on anymore. But having the skill and ability to truly follow along a highly technical explanation, given by someone in an operations or threat detection team (even if somewhat detached by middle management) is a real win.
Having the respect of technical teams allows them to speak more freely, provide opinions, and allows them to trust that your decisions, while not always what they wanted, have taken in to consideration their point of view. Plus, it helps support the hiring and development of middle management with similarly appropriate technical skills.
The rest of the Cs will never care. So, the business acumen is what will come through in these conversations. I’ve heard it put by others “you speak ‘boffin’ don’t you?” - so even though the role by its nature is mostly GRC, the other C’s will appreciate a “translator“.
@jerry I think the strongest guidance comes from what makes a good CFO. Finance is ultimately a technical field. A good CFO is good enough at the technical aspects of finance to understand what’s being given to them from below, but has a business-wide perspective and hopefully a longer view than just next quarter.
@jerry I'd say technical enough that your technical folks underneath you couldn't blind you with details, yet business-savvy enough to participate in CxO meetings and to both explain your division in human terms yet still fight for and get your needed budget.
This is my view from the sidelines, never been a CISO, never want to be one.
@jerry In Sales, I learned that what drives people is what is important to their boss/what they get MBO-ed on. CISOs typically work for CXOs who are MBO-ed on business results. My guess is that CISOs need to be mostly business.
(Just in case, MBO=Management by Objective pay bonus)
@jerry I have difficulties with the option. My choice would be „good communicator“ which is neither„business“ nor „technical“. You must be able to speak with both sides.
@jerry d) very capable in risk management & policy / process development, with enough technical knowledge to understand where risks arise in technical systems and to be able to liaise with both the tech people & the business system owners (a.k.a. risk owners) 🙃
@jerry
Above all CISOs need:
An unbelievably robust tolerance for inadequacy which makes any security achieved a delightful surprise. A capacity for accepting the limits of influence & control; that any marginal security gain may be “good enough for who it’s for”.
As a bonus: talent for having criticism delivered, received as praise.
@jerry I would prefer a CISO who could talk to other business leaders about security issues to one who understood the issues deeply but couldn't translate to business speak. This is why I don't want to pursue a CISO career but I respect those who do.
@jerry I was the marginally technical, mostly business CISO. I knew the things that needed to be done but probably not all the fine details of how to do the work. I’m always happy to learn and get my hands dirty, but sometimes that derails me making progress in other areas.
Prime example, I know what’s required to check the various boxes for CMMC and can ask the questions to determine if we have the process in place, but I may not know exactly what the steps are to make that process work.
@jerry the best CISOs I've seen or worked with are technical enough to sniff out bullsh fertilizer, and to listen when the more deeply technical resources were trying to explain something that they didn't know how to articulate at a higher level. They are also in tune with the organization's business priorities, and recognized that the best way to support their team was to educate their peers, prioritize limited resources, and successfully advocate for necessary funds and solutions while somehow knowing which hills to avoid dying on.
@jerry I think the main thing is you have to be technical enough to know when your staff is bullshitting you.
That becomes less and less detailed as you go higher, but also you have to hire technically competent managers who can also detect bullshit.
If a manager is "business only," incompetent staff can fester for a long time, and potentially drive out actually competent staff. Without a technically knowledgable manager, it becomes a case of who has the more convincing narrative and who is better at gaming the system.
@jerry Way I see it, CISO is fundamentally a risk officer. It's important for the CISO to understand the sources of technical risk, without necessarily being able to implement them. The CISO's contributions are business-level, not console-level.
@jerry it needs to be someone who has cred with both the tech/security part of the org, and the board. So they need one foot in both worlds.
The entire problem is that tech and biz speak different languages; the CISO needs to be a translation layer that can balance their different priorities.
@jerry
You need to be able to convince the business to do things and you need to have staff you trust. To be deeply technical you probably have to be doing the work, and you don't have time to do both.
@jerry That really depends on the size of your organisation doesn't it ?
I don't expect the CISO of a large organisation to be a technical person, but a smaller org may need a person like that.
@jerry Technical knowledge, and specifically capabilities and limitations of various technologies, is important. So is understanding how and why a business functions.
But the third part of the CISO job is to understand people and culture. Without that you are going to end up in the scenario you described the other day: shouting at somebody who clicked on the wrong link in an email.
Bridging tech and business is good, doing it with heart is better.
Probably a pair of people, one business, one technical.
But overall I'm frustrated with business, law, and finance. They have this nasty habit of folding in on themselves and becoming an arms race that sucks all the air out of the room.
@jerry fwiw I've found that successful managers in tech need to have at least and understanding of the tech, as this lends well to understanding business needs and employee resources.
The best at the role are both. Boards don't seem to understand this, and it makes a technical manager's job more challenging, though not impossible.
Occasionally, I've seen managers in tech with such great people skills, that their lack of technical knowledge didn't hurt them in the position.
I think the key is to balance business relationships with technical needs and listen to employees' views.
i'd call it people/leadership/influence skills, rather than business but a CISO does need to have done some serious technical stuff at some point but that isn't the main focus once you're CISO.
my take is that the CISO is there to explain in terms that boards and C-suite can get what the impact of various security risks and mitigations mean to their agendas.
it's not (sadly) about fixing all the holes, so there does need to be some business acumen to get the business and financial risks. but mostly, you're a bridge or abstracting service from your security folks to your board/execs.
i have a lot of respect for those that do it will but i definitely don't have the temperament for it.
done badly, it's a raft of security and financial disasters wating to happen.