So you wanna be a CISO? What skills do you need?

So you wanna be a CISO? What skills do you need?

Henry Dalziel | Information Security Careers | June 17, 2013

Many of our students are either already working, or are wanting to start a career within information security. Many strive to reach the highest level they can within their chosen space, and for many, that is to become a Chief Information Security Officer (CISO).

What are the roles of a CISO?
The C-level position always indicates senior management and their main role is to establish and maintain the organization’s information assets. As the head of information security all aspects of IT Security fall within the CISO’s control. The CISO must assess risks, react to cyber threats, establish official corporate standards and controls, and oversee the implementation of cyber defense policies and procedures. Training is also central to this role. Training such as Social Engineering would be seen as important as would arranging the training (typically vendor neutral infosec certs) for middle information security managers.

Listing the responsibilities of the CISO

  • Ensuring legislative, compliance and information assurance issues are followed 100% of the time (remembering that a corporation can be fined millions for security breaches, especially if the vulnerability was widely known and should have been addressed). Example of compliance includes HIPAA and FISMA.
  • Security investment. A CISO will need to demonstrate how investment can be used to protect the organization’s assets, not least how the brand can be protected by finical investment followed the ‘shame’ of being hacked.
  • Understanding of specific trade security systems. For example, if the CISO works within a financial environment then clearly he or she must understand specific tools, hardware or any other material/ equipment that is used within the industry.
  • Understanding (and perhaps even selecting) of the corporations software stacks and security architecture.
  • The CISO must create an Emergency Response Team to act as and when a security breach is imminent or has occurred.
  • Creating policies to safeguard corporate assets by restricting current employees from accessing certain assets whilst ensuring that ex-employees are also no longer privy to confidential materials.
  • Creating or ensuring access to a digital forensics team for any breach of compliance etc.
  • Creating a disaster recovery plan to allow for business continuity post-cyber attack.

The above list is only really a summary but you should get the gist – as a CISO you will essentially be the boss of security. Anything that falls within a security bracket is your concern. Think like a hacker, think like a bad guy and then think how to defend, and what would follow on from an attack. The position really requires a mix of artistic and scientific skills. Scientific in the sense that clearly the individual must have solid computing skills and understanding of the processes (and potential holes therein) but also artistic in the sense that many attacks are not scientific or ‘traditional hacking’ but rather are the result of social engineering, i.e. think about dumpster diving, tailgating etc. Not all threats are executed by some hacker sat in a bunker in ‘fill in the blank nasty country‘ – many real and damaging threats come from internal disgruntled employees and hence why I mention the need to think with an artistic hat on.

The importance of having a CISO, and a good one at that, is clearly on the rise.

If you are a CISO then please add a comment below, we’d love to hear from you and gauge your thoughts. In your opinion what is the key skills a CISO needs?

Leave a comment or reply below...thanks!