@jerry

[ ] Both technical and business

I know it's a unicorn -- but it seems very difficult for a CISO to not have a healthy helping of both.

@jerry NB: this definitely struck a nerve of mine regarding C suite tech roles & their titles.

I'm willing to bet I skewed your data based on that. 🤷

@jerry

Probably a pair of people, one business, one technical.

But overall I'm frustrated with business, law, and finance. They have this nasty habit of folding in on themselves and becoming an arms race that sucks all the air out of the room.

@jerry it needs to be someone who has cred with both the tech/security part of the org, and the board. So they need one foot in both worlds.

The entire problem is that tech and biz speak different languages; the CISO needs to be a translation layer that can balance their different priorities.

@jerry I was the marginally technical, mostly business CISO. I knew the things that needed to be done but probably not all the fine details of how to do the work. I’m always happy to learn and get my hands dirty, but sometimes that derails me making progress in other areas.

Prime example, I know what’s required to check the various boxes for CMMC and can ask the questions to determine if we have the process in place, but I may not know exactly what the steps are to make that process work.

@jerry
Above all CISOs need:
An unbelievably robust tolerance for inadequacy which makes any security achieved a delightful surprise. A capacity for accepting the limits of influence & control; that any marginal security gain may be “good enough for who it’s for”.

As a bonus: talent for having criticism delivered, received as praise.

@jerry

They just need to be able to take the blame when the time comes and get replaced by the new guy.

@jerry

This.

@jerry I'd say technical enough that your technical folks underneath you couldn't blind you with details, yet business-savvy enough to participate in CxO meetings and to both explain your division in human terms yet still fight for and get your needed budget.

This is my view from the sidelines, never been a CISO, never want to be one.

@jerry In my opinion, this was missing a level in between. I think you can see, by the weights of answers, that people agree that business and its processes are important but so is technical.

I’d say “deep technical roots/background” is important. It doesn’t need to be current or hands on anymore. But having the skill and ability to truly follow along a highly technical explanation, given by someone in an operations or threat detection team (even if somewhat detached by middle management) is a real win.

Having the respect of technical teams allows them to speak more freely, provide opinions, and allows them to trust that your decisions, while not always what they wanted, have taken in to consideration their point of view. Plus, it helps support the hiring and development of middle management with similarly appropriate technical skills.

The rest of the C*s will never care. So, the business acumen is what will come through in these conversations. I’ve heard it put by others “you speak ‘boffin’ don’t you?” - so even though the role by its nature is mostly GRC, the other C*’s will appreciate a “translator“.