So you want to be a CISO? Make sure you know what the top role involves - and what it doesn't, says Paul Simmonds.
After seven years as chief information security officer (CISO) for ICI, Paul Simmonds is concerned about the lack of presence of CISOs in business. Part of the issue, he contends, is that boards lack the ability to assess the competency of this emerging C-level executive.
“Every large company should have a senior CISO,” says Simmonds, who is moving from ICI to another FTSE-listed company following the sale of ICI to Akzo Nobel earlier this year. “Unfortunately, there are relatively few true CISOs out there; generally it's confined to the banks, a few enlightened corporates and those firms that live and die by their online presence.”
Simmonds wants the profession to develop people for this top role. In the first instance, he says, individuals need to ask themselves whether they really want to progress into the CISO role.
"If what you enjoy is the buzz of being at the cutting edge of IT, this is not right for you. I haven't been at the sharp end of technology for the last 10 years of my career, if not more” he says. “My role changed to being much more involved with business strategy, politics and the profit and loss of my and other departments as we work to assure the company's intellectual assets are properly protected.”
Potential CISOs need to be interested in being developed as business partners and helping all staff recognise that security is part of their job role, while being able to sell the merits of what they do for their organisation. A potential CISO needs to fulfil a broad spectrum of requirements: to assure the configurations of firewalls one day, or the connection of SCADA systems to the internal network another.
Simmonds says that certifications to assure specific skills are essential. “But the big question will be whether a candidate for the CISO role has gained both the knowledge and the wealth of experience needed to manage the responsibility at the highest level. Generally the board isn't qualified to answer that question, which is where the profession itself needs to step in to provide a level of peer review and assurance,” he says.