Friday, October 28, 2016

Important Knowledge Skills Abilities (KSAs) for successful CISOs

For the past few months I ran an open survey of Linkedin connections and the GIAC Advisory Board to determine the Knowledge, Skills, Abilities, (KSA) a successful CISO must have. Then we ran a survey, (thank you Barbara Filkins), to measure the Importance, Criticality and Frequency of the skills. This post covers the importance, (core), KSAs.

The 61 survey participants ranked each element between 1 and 5 where: 1 = Least important 2, 3 = Important  4, 5 = Most important

Tier 1 Most important

  • Able to build relationships and partner with Directors and Board members, particularly outside of IT 4.51
  • Ability to understand the balance between risk and security, and how to integrate this into a given organization. Able to facilitate discussions about risk. 4.44
  • Clear understanding of which battles to fight, ability to prioritize when there is always more work to be done than time or resources. 4.38
  • Able to integrate with the company's mission, and with other division's agendas. Understands the business. 4.36
  • Build and take care of the team you are privileged to lead 4.33
  • Ability to effectively communicate technical information to non-technical audiences.   4.32
  • Ability to tie business context/concept to data protection and technical components within the IT and InfoSec space. (Note: A person doesn't need to be an expert, he/she needs to be able to connect these dots for other business leaders). 4.30
  • Liaison between technology and the business, collaboration focused. 4.30
  • Ability to attract and retain top tier technical talent as well as develop less experienced team members 4.23
  • Work well under pressure 4.18
  • Broad knowledge of cybersecurity principles, ranging from technical to human to physical. 4.10
  • Creative thinking, able to apply adaptive strategic and tactical thinking. 4.08
  • Mentor and communicate (up and down) 4.02

Tier 2 Important

  • Capabilities focused, not vendor/tool focused 3.98
  • Life long learner 3.97
  • Humility, capability to admits that he/she doesn't know everything 3.95
  • Build and manage relationships both inside and outside the organization.  (Think Tipping Point connector.) 3.85
  • Incredible organizational ability to keep people on task and focused in order to build, design, deliver, and expand the information security program. 3.79
  • Ability to grow the team as the organization grows. 3.79
  • Ability to prioritize and triage incident response and vulnerability remediation in a calm balanced manner. 3.74
  • Deep knowledge of the cyber threats we face today and tomorrow. 3.60
  • Ability to produce and manage to a budget 3.59
  • Design, build, manage an effective security awareness 3.58
  • A sense of humor. 3.39
  • Expert experience in at least one cybersecurity discipline 3.13

Tier 3 Less Important

  • Resume demonstrates loyalty to organization, a good CISO does not job hop 2.74
  • Advanced degree (Note: Masters degree preferred, especially MBA) 2.08

About the survey

Job roles of survey participants

Industry of survey participants

Organization size of survey participants

Geographic regions of survey participants

What is next for this project?

I am going to try to use Linkedin and the GIAC Advisory Board to collect some qualitative information to see if these KSAs can be broken down further and also to seek wisdom on how to approach the most important KSAs.

About the author:

Stephen Northcutt is Director for Academic Advising at the SANS Technology Institute and chairperson for SANS Rocky Mountain 2017, June 12, in Denver.


  1. Mentor and communicate (up and down) 0 1 15 27 18 4.02 61?

    I guess 4.02

  2. Thanks for this great post I believe it matches what I have seen in and out of the InfoSec space.