That was the verdict of ‘The Future of the CISO' keynote session at SC Congress, which took place at the ILEC conference centre in London yesterday.
Speaking in front of almost 300 delegates, experts, including CISOs to high-profile lecturers, consultants and security advisers debated the challenges facing the information security industry in regards to the role of the CISO, the range of skills and personnel needed, including the cyber-security skills shortage and the need to efficiently articulate risks to the board.
Professor Fred Piper, the legendary professor Emeritus at Royal Holloway, University of London and an adviser to GCHQ on its promotion of cyber-security skills, including its accreditation of cyber-security Masters degrees, began his keynote presentation by asking what the best qualifications are for future CISOs, citing CISSP, MScs and even MBAs as some notable examples, as well as courses offered by the likes of CREST, (ISC)², SANs and ISF and apprenticeships.
He said that the industry has accelerated rapidly in the past 15 years, from jobs that would be offered based on word-of-mouth recommendations to an age where competence is validated via renowned courses and experience.
But even then, he says that information security education must improve further, especially by introducing the subject at STEM level.
Competence, he said, is not something that comes from university although he did highlight CISSP as the most widely-adopted qualification, and degrees as getting "more advanced and demanding", especially with GCHQ's new involvement.
Piper said that employers are looking for “more than just knowledge”, often requiring at least three years' experience – which can make life tough for recent graduates.
On GCHQ's involvement he said: “I think they're doing an excellent job at promoting and encouraging cyber-security. Are they the right organisation to do it? (define the role of CISOs in the private sector) Almost certainly not…but they have the authority and the drive to make it happen.”
And he said that more collaboration is needed between security and business.
“The whole theme of today has really been of security and business having to go together, of communication between the two. There has to be a partnership.”
He added that the future CISO depends on numerous factors, from the size of security team or company, to the culture and nature of said firm. But citing EY's Mark Brown who spoke on an earlier panel, he reiterated that current CISOs would need to “change or be changed”.
Andrew Rose, CISO and head of cyber-security at NATs, told SCMagazineUK.com prior to the panel that the current role requires a mix of tech and business skills, as well as ability to approach and communicate with the board. Increasingly, he sees these people coming from other business areas, irrespective if they have a CISSP or MBA.
He added on the panel: “The CISO role has changed a lot in my time in security. It used to be very technical,” said Rose, citing a common route from network operations or access control up to the CISO position.
“The successful CISOs I see have much more of a business focus. The technology side is small part of their role. Most of the CISO's focus has to be on talking business strategy, on working with the board.”
Mike Loginov, CISO and CEO for The Ascot Barclay Cyber Security Group, has been an industry advisor on the establishment of Coventry University's cyber-security MBA and said that the course is “looking at skills for the corporate leader”. For example, he said that it would teach them how to react when a compromise hits the press, and how to involve HR and legal people in this data breach clean-up process.
“As a corporate CEO, let alone a CISO, the pressure one must face must be excruciating, I know it is as I've done post-breach investigations at some fairly large organisations.”
Sarb Sembhi, director at Storm Guidance, said that there is potential for CISOs to eventually migrate to the CEO position.
"The only way for that to happen is to not come from a geeky tech background but more of the (business) background that has been described.
“We need less nerdy and more star-trekky," added Sembhi, citing Captain Kirk as an example of a man-manager who was not himself particularly techy, but who had a technical and expert team.
"That's the way CISOs in big organisations are likely to be, it's about bringing best out of people and it's not dissimilar to the CEO. I think that's the way the CISO [job} is going to go in the future, and the way they could become CEO.”
Rose was more sceptical, citing CISOs' passion for cyber-security, a possible lack of business career drive as well as a different approach; He says CEOs are ‘promoters' whereas CISOs are ‘protectors'. “CISOs and CEOs – I think there is a big divide between the two roles.”
Loginov added: “I see the CISO title being all encompassing multiple skills. It depends on the role an individual is having to do in an organisation. It may be very technical or more [focused] on strategy…there will be a full tapestry.”
There was no uniformity of opinion over what the future CISO might look like, other than that the role needed to be more senior with access to the board, and a suggestion that there would be a range of roles, with the relative balance of technical or business skills dependent on the size and type of organisation - thus a future CISO may be asked, like a lawyer who is asked whether they do criminal, civil or what type of lawyer arey they - what type of CISO are you?