Gareth Lindahl-Wise and Quentyn Taylor
Gareth Lindahl-Wise and Quentyn Taylor

PRO: Gareth Lindahl-Wise, CISO, ITC Secure

My starting position would be that a technical background is not critical but it can be helpful, if it's not at the expense of other things.

I think a high-level tech overview can tell you when something sounds right or when something doesn't tally. The ability to translate technology responses and risk to the senior level is important, as is the ability to challenge the advice and information you're getting to keep staff and suppliers honest and on their toes. 

In a big organisation, there's probably a big IT security function so that a base of knowledge can come from elsewhere. There's probably a skills curve, where the technical skills drop off at a bigger organisation. But in any environment, a broad understanding of IT and IT security is helpful to give a sanity check to business plans.  

One of the main challenges is, can you deliver pragmatic solutions to the business risk or do you just have the latest shiny box and think is the answer to all your problems? You need to translate the relevant picture to the board. 

I think some SMEs don't have that understanding so what they really need is a trusted partner to deliver pragmatic solutions.

Several organisations do use CISO-as-a-service or an interim CISO and that can be the right approach for SMEs who are struggling to attract and retain people with the right skills and experience.

ANTI: Quentyn Taylor, director of information security, Canon EMEA

To be honest I agree [with Gareth] but the most important skills are non-technical. You can get dragged into the detail and you don't want to do security for security's sake.

Many of the people I've interviewed recently lacked these business skills, and the biggest challenge with a lot of CISOs is that they say that the board doesn't understand their language. But you've got to ask ‘how many of them understand me?' If they don't, surely it's you – the CISO - that has the problem, not them.

IT security is not alone; IT, CSR, legal and the marcoms departments have all been doing this for a long time – they're talking in different terms and they have their own common lexicon. 

The business people make the money so you need to listen to them. You are there as loss prevention  and risk management to save the company money. As they make the money, from that perspective they're much more important than you.

[If I were hiring a CISO] my first focus would be on communication – if they can't communicate internally  or externally, to shareholders (or the board), they're not going to be very useful at their jobs.

They'd also need to understand the business and its risks, what those risks are, how they impact you and when to take risks. And understand what the business process is – every business is different and there will be unique and different risk tolerances.