Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What should you look for in candidates for a CISO position?

The CISO position can be tough to fill, especially when enterprises set high expectations for the candidates. Expert Mike O. Villegas discusses key CISO qualifications.

I'm in HR and my company is looking to hire a chief information security officer (CISO). I'm curious about what...

qualities and backgrounds beyond technology we should look for in candidates. Are there specific types of executive roles that can give a potential CISO the proper enterprise experience? Should a business degree be a requirement to give better standing with the other c-levels?

Hiring a CISO is a laudable goal. It implies executive management realizes the value of having an executive level position for information security. The CISO is an executive who provides expert guidance to other c-level executives on matters of risk, compliance and information protection from a strategic and tactical business objectives perspective. Security practitioners are typically technical in nature but do not generally have access to c-level executives, so the CISO position can help fill in this gap.

A security professional could potentially grow into the position; however the Peter Principle -- the theory that a candidate for a job is more likely to be judged based on their performance in their current position rather than their actual qualifications for the job they applied for -- is generally the reason internal upward mobility to the CISO position has had limited success. So what qualities, experience and educational background should a prospective CISO have?

Ideally, a CISO should have a combination of business and technical skills that allow for competent contributions and guidance with both IT and executive management. A successful CISO will be able to incisively translate technical challenges and strategies into business terms. Some specific recommended qualifications for a CISO include:

  • Degree in accounting or MBA, degree in CIS or Information Security;
  • CPA, CISSP, CISM, CISA, PMP certifications;
  • CFE, CEH, GPEN, CRISC specialized certifications;
  • Ten years minimum experience as a CISO, information security engineer, or security consultant. Big 4 senior managers or partners from the systems assurance would be an added plus; and
  • ISSA, ISACA, (ISC)2, OWASP, or CISO forums memberships.

As difficult as it may appear to find an individual with this background, these are the qualifications that can make or break their success in the role.

A candidate for a CISO position needs to be incisive, diplomatic and confident. They should have high technical acumen and be passionate about information security, but not so quixotic or dogmatic that it would call their credibility into question.

CISOs need to understand business, especially the business culture, goals and strategies of the enterprise. They need to build a work environment in which the employees share -- or at least support -- their passion for information security. They must be able to make decisions and not kowtow to executives.

Finally, CISOs should be independent thinkers who are able to lead by example and not just manage by objectives.

There are many great candidates with these qualities and qualifications in the market today; it's just a matter of finding the right one.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Check out some expert advice on how CISOs can succeed at security leadership and what the benefits of having a CISO are to an enterprise

Learn about how the rise of the CISO is shaking up the c-suite

Dig Deeper on Information security program management

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

3 comments

Send me notifications when other members comment.

Please create a username to comment.

What qualifications do you think are necessary for CISOs?
Cancel
Mike, I believe a good CISO has a business, audit, IT and information security background, that includes the following designations: CISSP, CISM and CISA certifications. In addition, they do have to be confident, think strategically and tactically, understand enterprise IT risk, and have at least 15 years of combined experience in business, IT, audit and information security OR an MBA with 10 years of IT, audit and information security experience.
Cancel
I agree with all of these, but also feel experience/certifications in some operational areas is also helpful - Sys Admin or Net Eng w/ MCSE, CCNA, DBA, etc., and some development experience (preferably web development) - GREATLY increases a candidates value. A run through audit or compliance is a HUGE plus, as these roles require reporting to the board, and having a whole business view of a company, as well as providing real-world risk management experience. I'm biased of course, as this describes me, but these other positions have made me the strong, effective CISO I am today.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close