That was the verdict of ‘The Future of the CISO' keynote session at SC Congress, which took place at the ILEC conference centre in London yesterday.
Speaking in front of almost 300 delegates, experts, including CISOs to high-profile lecturers, consultants and security advisers debated the challenges facing the information security industry in regards to the role of the CISO, the range of skills and personnel needed, including the cyber-security skills shortage and the need to efficiently articulate risks to the board.
Professor Fred Piper, the legendary professor Emeritus at Royal Holloway, University of London and an adviser to GCHQ on its promotion of cyber-security skills, including its accreditation of cyber-security Masters degrees, began his keynote presentation by asking what the best qualifications are for future CISOs, citing CISSP, MScs and even MBAs as some notable examples, as well as courses offered by the likes of CREST, (ISC)², SANs and ISF and apprenticeships.
He said that the industry has accelerated rapidly in the past 15 years, from jobs that would be offered based on word-of-mouth recommendations to an age where competence is validated via renowned courses and experience.
But even then, he says that information security education must improve further, especially by introducing the subject at STEM level.
Competence, he said, is not something that comes from university although he did highlight CISSP as the most widely-adopted qualification, and degrees as getting "more advanced and demanding", especially with GCHQ's new involvement.
Piper said that employers are looking for “more than just knowledge”, often requiring at least three years' experience – which can make life tough for recent graduates.
On GCHQ's involvement he said: “I think they're doing an excellent job at promoting and encouraging cyber-security. Are they the right organisation to do it? (define the role of CISOs in the private sector) Almost certainly not…but they have the authority and the drive to make it happen.”
And he said that more collaboration is needed between security and business.
“The whole theme of today has really been of security and business having to go together, of communication between the two. There has to be a partnership.”
He added that the future CISO depends on numerous factors, from the size of security team or company, to the culture and nature of said firm. But citing EY's Mark Brown who spoke on an earlier panel, he reiterated that current CISOs would need to “change or be changed”.
Andrew Rose, CISO and head of cyber-security at NATs, told SCMagazineUK.com prior to the panel that the current role requires a mix of tech and business skills, as well as ability to approach and communicate with the board. Increasingly, he sees these people coming from other business areas, irrespective if they have a CISSP or MBA.