Manage Learn to apply best practices and optimize your operations.

Do CISOs need computer science degrees?

Equifax's CISO came under fire for having a music degree. David Shearer, CEO of (ISC)2, discusses what type of education infosec professionals should have.

As high-profile data breaches continue to make headlines, CISOs have been thrust under the microscope as their...

work histories, educational backgrounds and qualifications are scrutinized.

That scrutiny has sparked a debate over whether or not information security professionals, particularly CISOs, should be required to have computer science degrees. One of the most recent examples involves Equifax, which suffered a catastrophic breach last year; the credit rating agency's CSO, Susan Mauldin, came under fire for reportedly having a degree in music rather than computer science.

However, some have since pointed out that many infosec professionals do not have computer science degrees. While such degrees can be valuable, David Shearer, CEO of the International Information Systems Security Certification Consortium, or (ISC)2, believes they shouldn't necessarily be requirements for CISOs, and that other educational or training resources, as well as work experience, can provide the skills needed for certain positions. Here, Shearer shares his views on the debate and the topic of CISO qualifications.

David Shearer: Everyone jumped on the fact that Equifax's CISO had a music degree. Okay, but, scientifically speaking, music is highly mathematical. It's highly analytical.

We have lots of people that came from different backgrounds that are in the security profession. I wouldn't want to jump there.

I think, as the head of an organization like (ISC)2, a thought-leader in cyber security, I think it would be premature to throw a CISO under the bus because we don't know what's around that. It looks like there are allegations of business practices that that CSO may have had no line authority or control of.

Personally, I'm reluctant to start jumping on the bandwagon of trying to say she was unqualified. I don't know enough about her or what was going on around her. Did she have something to do with standing up a bogus-looking website for credit monitoring after the breach? Was she responsible for the site's terms of service that made it look like you had to omit yourself from any type of class-action lawsuit against the company? That might not even be the CISO.

We saw the same thing with the CIO function previously. Many people got CIO positions even though they didn't have a technical background with computer science degrees, and they had varying degrees of success. I think you can be a successful CIO and not be a technologist if you have trusted people around you that are really good that bolster you, and [if] you're a strong leader.

I still think it's a little bit of a risky proposition; having worked in that function for a lot of years, it always helped me to have come up through the technology ranks, but what I had to do was build my executive skills and my leadership skills and learn to lead those technical folks [Prior to (ISC)2, Shearer served as deputy CIO at the U.S. Department of the Interior and associate CIO for International Technology Services at the U.S. Department of Agriculture].

And it's not unlike the CISO function. Some people come in it from different degree pasts and it's really a hit or miss. Could somebody come in and be a generalist and lead all that? I think there'll always be exceptions where somebody that doesn't have a [computer science] degree is brilliant. We meet them all the time. We have members on our board that are brilliant that don't have degrees, but they have certifications.

I think it's really hard to say, 'Everyone must have a degree.' We have people that come up through the ranks that start coding when they're in their teens or even younger than that; they're phenoms. But can you count on the small number of phenoms to fill an entire industry? No.

And I think that's where certification bodies and even formal education comes in. You have some level of assurance that the person has some understanding of what's going on.

I'm not saying that every CISO has to have a CISSP [Certified Information Systems Security Professional] certification, but we're trying to offer some level of assurance to hiring officials that people have at least been exposed to the broad holistic nature of enterprise security. We don't make any claims to fame that, if you're a CISSP, you're an expert in every facet of security. It's not a silver bullet. That probably sounds counterintuitive from somebody who runs a certification body, but we have to be honest with ourselves.

This was last published in March 2018

Dig Deeper on Information security certifications, training and jobs

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Was Equifax's CISO unfairly criticized for having a music degree? Why or why not?
I believe a degree in anything computer related should be highly considered. Especially, leading a large organization such as Equifax etc. I would at least require security certifications rather than a computer science degree.
I think certifications are a reasonable requirement, but it feels like four-year degrees are becoming an obstacle in the hiring process for infosec positions. How many successful people went to college and majored in something other than computer science? Or better yet, how many people may have dropped out of college and didn't get a degree? I'm not sure the industry is in a position to discount otherwise qualified candidates simply because they didn't complete four years of college or didn't have a specific major.
I don't think a degree alone is enough for any InfoSec position (at a CIO level). If I was the hiring manager, I would look for a combination of a degree along with certifications. Keep in mind, a degree teaches a lot more than someone without one such as accounting, time management, ect.. Security certification should be an absolute requirement for a CIO such as CISSP etc. Especially, at the CIO-level. 

The budget is vital to the IT department. I'll rather hire someone with an accounting rather than someone a music degree. 

Beyond a 2-5 year period after obtaining your degree, what contribution does your degree play in the influence of job-based responsibility and outcome?  Degrees are fine to get you an entry level position when entering the market for your first job.  Hiring qualifications and even more so outcome in the job 5-40 years down the road is irrelevant to a degree and the focus is solely on the characteristics of the person.