Friday, October 28, 2016

Qualities of an effective CISO (2)

‪SANS.EDU‬‪ is updating our strategic plan. In July, I asked my Linkedin network for help in documenting what knowledge, skills and abilities an effective CISO would need to have. Then I asked the GIAC Advisory Board. The list below is my best effort to create a synthesis of the replies. Please note, the rank order does not imply importance, I tried to group similar things together, but it will be a future step to rank these in importance.‬

UPDATE: 8/14/16 We are now trying to rank these values using the ANSI/ISO/IEC 17024 Personnel Certification Accreditation Program approach, to prioritize them based of the ICF values as shown:
Important: these elements are needed for the job and are considered core knowledge.
Critical: failure to understand or execute properly on the elements could lead to harm.
Frequent: these elements are used in the job on a frequent basis.
Selecting a 1 for any of the ICFs mean that is NOT highly valued, a 5 for any ICF means it is very highly valued.

If you are willing to help with this next step please take the survey here:

Here are the elements defined and refined to date:
1. Broad knowledge of cybersecurity principles, ranging from technical to human to physical.
2. Deep knowledge of the cyber threats we face today, and tomorrow.  A CISO must understand the motivation behind malicious actors, and knowledge of the techniques, tactics and procedures used can help us better defend, detect, isolate, and recover from the inevitable. 
3. Ability to understand the balance between risk and security, and how to integrate this into a given organization. Able to facilitate discussions about risk.
4. Expert experience in at least one cybersecurity discipline
5. Capabilities focused, not vendor/tool focused  
6. Incredible organizational ability, keep people on task and focused in order to build, design, deliver, and expand the information security program.
7. Ability to prioritize and triage incident response and vulnerability remediation in a calm balanced manner.
8. Ability to effectively communicate technical information to non-technical audiences. 
9. The ability to tie business context/concept to data protection and technical components within the IT and InfoSec space. Doesn't mean they need to be an expert; means that they need to be able to connect these dots for other business leaders. 
10. Liaison between technology and the business, collaboration focused.
11. Able to build relationships and partner with Directors and Board members, particularly outside of IT
12. Able to integrate with the company's mission, and with other division's agendas. Understands the business.
13. Ability to produce and manage to a budget.
14. Clear understanding of which battles to fight, ability to prioritize when there is always more work to be done than time or resources.
15. Design, build, manage an effective security awareness
16. Ability to grow the team as the organization grows.
17. Ability to attract and retain top tier technical talent as well as develop less experienced team members
18. Relationships (inside the org and out), (think Tipping Point connector)
19. Mentor and communicate (up and down)
20. Build and Take care of the team you are privileged to lead
21. Creative thinking, able to apply adaptive strategic and tactical thinking.
22. Works well under pressure
23. Life long learner
24. Resume demonstrates loyalty to organization, a good CISO does not job hop
25. Humility, (admits that he or she doesn't know everything)
26. A sense of humor.
27. Masters degree preferred, especially MBA

Parking lot
CISO reports to: CSO, CEO, CIO?

1 comment:

  1. The Executive Board actually has a really great analysis that looks at the organizational view of security and its emphasis on operations, finance, and risk, to consider 4 different CISO reporting models. E.g. The differences and characteristics of an organization that would make a CISO more successful reporting to a CFO versus a CEO. What types of organization have the CISO report to the CIO, etc. I'd caution you on the parking lot, that there is no silver bullet.

    There are certainly some anti-practices, but in some organizations, the CISO is a function of strong risk management. In a financial services organization, for example, the CISO is actually a stronger impact to the business reporting to the CFO as a function of risk and compliance, than to the COO.

    In other organizations, the CISO would be near powerless as finance may be less of a driving factor, and the COO oversees the way that delivery operations are conducted. The CISO as a subset of the COO then has a stronger ability to effect change, etc, and a stronger degree of authority.