Future CISOs owe a debt of gratitude to people like Jane Scott Norris. Not only is this government veteran a trailblazer as the Department of State's first CISO, but longer than most, she's been outspoken on the need for security managers to learn the businesses they serve. While a technology background is vital, it's not surprising that Norris also thinks more diplomatic skills, such as marketing, speaking, writing and project management, are important for CISOs.
Should future CISOs be business people? IT people? Both? I think you need a mix of skills. You definitely need to understand the business you're in. I've been in IT in the state department for almost 20 years, but, having served overseas a lot, I think I understand our business fairly well. That is imperative. Do CISOs really need to learn to speak the language of business? Is that the must-have skill? You need to speak in plain English and not be wed to all those techie acronyms. You need marketing skills; you talk to a lot of people and you've got some good ideas, but if you don't have the marketing skills, you're never going to get things sold. You also have to be able to make your case quickly and easily. In my area, if you can't make your case in one page, you're never going to get in the door.
Would you suggest taking classes to hone those skills? Sure, why not? Go to Toastmasters to learn your speaking skills. So many people in our business, if they come up through the IT world, are not very good at public speaking, writing or project management. Those are skills I encourage.
More information from SearchSecurity.com
Learn about the business drivers for creating an incident response plan.
Visit our resource center for tips, news and expert advice on incident response.
How many CISOs have this mix of skills? Most of the successful ones do. Many of us were involved in Y2K, and I think that was the first time that I understood how important the business side of things was. That was my crusade-- "Hey this isn't an IT problem, it's a business problem."
Do many still work in isolation as solely an IT person? There are purists out there, and that's great. We need them. But are they going to make the next level? I don't really think so, not if you're going to be locked into that kind of thinking.
Read the complete interview at searchsecurity.com/ismag