COMMENTARY: Now that top management has been calling for chief information security officers (CISOs) to emphasize business strategy and risk management over technical leadership, the route to the top cybersecurity role will face some significant changes in the coming years.
While companies will always want to place a smart technical person in the hot seat who has learned the business ropes along the way, the changes in enterprise expectations for CISOs will inevitably impact who's recruited to the role.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
If the board seeks more business leadership from the CISO then it makes sense that companies will hire candidates who have followed a business career path as opposed to a technical one. Many within the security community see the writing on the wall here: a recent poll among information security professionals showed that the plurality of them—47% -- believe the CISO role has already becoming less technical today.
Other research backs up this gut reaction from security pros out in the field. According to recent research from IANS, the majority of CISOs – 76% -- have followed a technical career path with a minor focus on risk-focused functional areas. But almost 25% of CISOs followed a primarily non-technical route on their way to their current position. Now, some of the likeliest alternative backgrounds are security-adjacent career paths such as governance, risk and compliance (GRC) and audit and risk. Approximately 22% reported their experience fell into those risk and compliance functional areas. Just a 2% sliver of them came from outside any kind of technical or risk background.
I think that in the coming years this “other” category will grow as more boards demand that CISOs bring deeper business awareness and experience to the table. As this happens, we'll see the pedigree of the typical CISO start to shift. In addition to drawing more audit and risk professionals to the table, the following alternative experience tracks could start to emerge on CISO resumes:
Ultimately, the data and the zeitgeist shows that enterprises are moving toward CISOs who are team builders. They don't necessarily have technical experience themselves, but they must know how to manage technical people and communicate clearly with the rest of the business. A shift in pedigree may be just what many organizations need to deliver those leadership skills to the top security executive role. A shift in background could also have some very significant side benefits as well: namely, it could help alleviate the CISO diversity problem.
The most recent numbers show that 90% of CISOs are men, and 65% are white. Casting a broader net across different business disciplines could help attract a broader range of qualified business leaders who could change the makeup of the CISO pool. This could affect not just a shift in the numbers, but also change the cultural and philosophical mindset of the role. Bringing in a more diverse set of folks could heighten the chances of filling the role with more flexible thinkers who can balance the technical basics with the more difficult collaborative requirements of security work.
Bob Ackerman, founder and managing director, AllegisCyber Capital
Editor’s Note: This is the second of three Monday morning columns on the changing role of the CISO.
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.