The acronym for chief information security officer, CISO, is occasionally spelled out as ‘career is so over’ by those who move in the security circles. In the esoteric world of cyber security, the top job used to be seen as so specialised and maverick that once you had it, there was nowhere else to go.
However, this profile is changing and the modern CISO should have business acumen as well as technical brilliance. The old school security chief who regarded the network proprietarily is on the way out and is being replaced by a technically gifted executive, comfortable with consensus-style of working. Certain attributes remain, however, and among these are an ability to think methodically, an attention to detail and a healthy paranoia.
While the new age CISO needs to be business savvy, they can never leave technology behind and indeed delegation may be a dangerous thing. "General managers make poor CISOs," confides one expert, not least because their staff do not respect anyone who doesn’t know their stuff. The general manager of non-security expert also has insufficient experience in security risk decisions and trade-offs.
The inventor of the proxy firewall, Marcus Ranum, describes the necessary mindset as a ‘special kind of brilliant kind of pessimism’. “At the opposite of the software engineer who constantly asks ‘what could go right?’, the perpetual task of the CISO is to ask ‘what could go wrong?’”
What type of person should you be?
A security specialist has to be hugely inquisitive with an insatiable thirst for knowledge. Things are always changing and always different as the attacker never stands still and the security person has to stay ahead. The good security person often has a low boredom threshold. People good in this role are also attracted by processes and are creative and communicative.
There’s a crucial difference, too, between being a security talent and a CISO. The former may be happy to stick at nice ‘crunchy’ pieces of work such as configuring a new router or testing the firewall. The CISO has to be always thinking of the business implications of security breaches and to have the ability to communicate these to fellow executives in a vocabulary they understand.
Panellist’s view: The thirst for knowledge and the desire to continually learn is of mark of the CISO. A CISO I know stays up late ‘til 3am decompiling malware. He does it to stay on top - and because it’s fun.
What are the first and second jobs; what’s the career path?
Security touches on all aspects of the IT infrastructure and a good CISO knows a little about a tremendous amount of things. Security analyst is a good first post, either in a technical or a risk route, and the technical route can be consolidated by a role in infrastructure. However, there’s no wrong first job, but the choice of second and third jobs do become more important.
Pioneering information security sleuths tended to be brilliant minds that stumbled upon the niche. Second generation were likeminded individuals who consolidated technical know-how learnt on the job through formal training. A new generation of security staff is being cultivated in enterprises, which recruit bright and shiny computer science graduates who will do a stint in security. If they display an aptitude, it’s likely they’ll be retained there to acquire deeper skills.
There’s a new school of thought that advocates aspiring CISO go and get business experience before honing technical skills. This could be anywhere in business that helps develop a ‘nose for risk’. Once viewed as a prized security techie, it may be hard to be released in order to acquire the business experience necessary for the modern CISO.
Panellist’s view I’ve been everything from coder to sales support. The important thing in this role is not to be fooled by anyone.