The role of the CISO will evolve to become more of an overall communicator and business strategist.
Speaking this week at the press conference for the launch of this year's Infosecurity Europe show, Neira Jones, head of payment security at Barclaycard, said there is often a "panic first" response to security incidents, followed by a hire – such as with Sony.
Jones said: “The CISO now, from a subject-matter point of view, needs to be more of a trusted advisor and use technology to improve the business. They need to be an analyst, a facilitator, a leader and a thought manager. This means that the ideal person needs to know the business priorities all within the corporate security moral fibre.
“They need to understand the business strategy, to be a strategist and a visionary, and no longer insular. They need to take risks to meet business objectives and understand what the risk appetite is.
“A suitable CISO also needs undeniable credibility in the business, within the industry and with their peers. They also need to be an enabler of awareness and be able to influence others.”
Jones went on to say that the most important capabilities are to educate and raise awareness, using the right language.
Asked how many CISOs already matched her description, Jones said she could "count them all on one hand". She said: “In the past year there has been a shift in the industry to risk management, and CISOs are aware of how to manage risk rather than controls.”
Speaking at the same event, professor Kevin Jones, professor of dependability and security of socio-technical systems at City University London, said "better knowledge is needed at all levels" as security professionals "need to communicate and need people trained to present issues to a variety of levels".
He said: “The modern CISO has to be comfortable in the modern space and manage conflicting requirements, but be aware of business risk and cost implications and communicate that properly. Too much risk and the company fails.
“The CISO needs to communicate all things to all levels, which is a difficult role as they have to speak geek and business fluently. We have a cultural gap that we need to fill.”
City University London announced a two-year, part-time, eight-module information security masters course that has been designed for current information security professionals. More information is available at the website.