Thursday, October 27, 2016

Qualities of an effective CISO (1)

SANS.EDU‪ is updating our strategic plan. I asked my Linkedin network for help in documenting what knowledge, skills and abilities an effective CISO would need to have. The list below is my best effort to create a synthesis of the replies. Please note, the rank order does not imply importance, I tried to group similar things together, but it will be a future step to rank these in importance. Thank you very much to everyone that participated.

1. Broad knowledge of cybersecurity principles, ranging from technical to human to physical.
2. Deep knowledge of the cyber threats we face today, and tomorrow.  A CISO must understand the motivation behind malicious actors, and knowledge of the techniques, tactics and procedures used can help us better defend, detect, isolate, and recover from the inevitable.
3. Ability to understand the balance between risk and security, and how to integrate this into a given organization.
4. Expert experience in at least one cybersecurity discipline
5. Incredible organizational ability, keep people on task and focused in order to build, design, deliver, and expand the information security program.
6. Ability to prioritize and triage incident response and vulnerability remediation in a calm balanced manner.
7. Ability to effectively communicate technical information to non-technical audiences.
8. The ability to tie business context/concept to data protection and technical components within the IT and InfoSec space. Doesn't mean they need to be an expert; means that they need to be able to connect these dots for other business leaders.
9. Liaison between technology and the business, collaboration focused.
10. Clear understanding of which battles to fight
11. Capability focused, not vendor/tool focused
12. Strong leadership skills at both the organizational and individual contributor levels.
13. Relationships (inside the org and out), (think Tipping Point connector)
14. Ability to attract and retain top tier technical talent
15. Mentoring (up and down)
16. Taking care of the team you are privileged to lead
17. Creative thinking, able to apply adaptive strategic and tactical thinking.
18. Life long learner
19. Humility
20. A sense of humor.


  1. I think 8 and 9 are are great points that we can miss. Sometimes we have a hard time equating the financial/business gains or potential losses to the cost of INFOSEC. I don't know if a course exists, but looking at the financial/business expense and gains of INFOSEC and doing risk analysis is a key skill.

  2. You've touched on that big things that I see. Those being: Risk focused, understands business, builds strong teams (as opposed to individuals), and humility (which I would have called - admits that he or she doesn't know everything).

  3. I think the size & type of organization plays directly into how technical a CISO should be. In an ideal world, I agree with technical depth (#4) but larger organizations probably rely more on the business and organizational skills.

  4. Good list. Thanks for compiling.
    While many of these items are valuable qualities for all tech managers, Items 9, 10, 17, 19 and 20 are of particular use - since most of us are viewed as managing a cost center rather than a profit center. Unless you're the CISO hired after the come-to-cyber-Jesus moment has already arrived, you will be selling the value of every additional control. So, 'integrate' in item 3 will include ability to make your case and persuade fellow C-Levels.