Thursday, October 02, 2014

The CISO of the Future

The CISO of the Future

For many years, I’ve been asking the customer of the Chief Information Security Officer (CISO) what the business wants, needs and expects CISOs to deliver.
Yesterday, I picked up more customer-centric information with regards to what the business wants, needs and expects a CISO to deliver when I was on a call with a Chief Information Officer (CIO) and a Chief Administrative Officer (CAO), the CIO’s boss.
The CIO in this case heard me speak recently in Las Vegas when I shared a talk on a “360 Degree View of Leadership” for what I thought was a room filled with CISOs.  To my surprise and delight, in my audience was the CIO of a company that did not have a CISO.
The CIO came up to me after my talk and introduced herself.  She explained to me that she had come to hear me speak based on an invitation from someone else in the audience.  She was on a quest to learn as much as she could about the CISO role because her company did not have a CISO but senior executives and the company’s Board of Directors had been talking about creating a CISO role in the near-future.
I learned from the CIO that the topic of protecting her company’s information assets was the one issue that was currently getting the most attention in the board room with the Board of Directors.  
I had just told my Las Vegas audience that the paradigm was shifting.  I suggested that regulatory bodies like the SEC, OCC, FFIEC and more were beginning to lean on corporate Boards of Directors to get more actively involved in Cybersecurity decisions.  
It’s always a great validation when what I’ve said in front of an audience as a speaker comes back to me a few weeks later as a real conversation with one of my clients.  
There were many attributes the CIO and the CAO mentioned when I asked them to describe the security leader who would fit best into their corporate culture.  These and similar attributes come up in every “C” level search I’ve been fortunate to conduct and fill in recent years.
This prospective client wants the CISO candidates I’ll eventually recruit and deliver to:

  • Be an expert communicator
  • Clearly articulate vision
  • Not just have vision but they want their CISO to put their vision into action
  • Be a risk management expert
  • Not work an island in a silo
  • Demonstrate strong emotional intelligence leadership skills
  • Be an expert collaborator who doesn’t get things done through command and control tactics.
  • Be a business partner who specializes in relationship building, demonstrating the ability to influence culture while building the security program around business drivers.

Playing off of something I said in my presentation in Las Vegas, the CIO suggested that she wasn’t as interested in interviewing the smartest person in the room as she was interested in meeting cyber security leaders who could create solutions that would align with the business and create positive business impact.
This role by the way will likely not report to the CIO.  The CIO and CAO in this case came to me to gain an understanding of possible reporting structures.  They truly wanted to understand what kinds of best practices could be put in place with regards to their corporate governance program to produce the most holistic security program possible.
I called this article “The CISO of the Future” but in reality, this is the profile companies have been asking me to deliver when I’ve been fortunate to be called on to recruit CISOs for some time now.  This is the profile of the CISO of the present as well as the future.

Gone are the days when the CISO is only the smartest person in the room who has a CISSP certification.  Yes, CISOs of the present and the future need to have high IQ and they need to be properly educated and certified.  
Like other executive positions, subject matter expertise is just the starting point.'s Security Recruiter Blog