Budding chief information security officers (CISOs) would be better off boning up on business, communication, and risk management skills than getting bogged down in detailed discussions about technology, according to a panel of senior security professionals. The overwhelming message from the InfoSecurity Summit 2012 in Hong Kong …
There's every reason that a CISO should be savvy to the workings of the business, and very little reason why she or he should be technically competent. As long, of course, as said CISO has a team of people who do understand the technology.
Interesting that the 'Panel of senior security professionals' (aka 'Men in Shirts') didnt seem to think such minions to be worthy of notice.
If they're not technically competent
They will request, and then pressure the minions for, things that are self-contradictory or otherwise impossible.
CISO's should sit with service delivery and change management teams, they should sit on the CAB; they shouldn't be floating islands that everyone perceives as merchants of the word "NO"
they should also have some technical competencies and rightly come from a technical background
Re: If they're not technically competent
@AC15 I think you are confusing in depth technical competency with the ability to do a job. A board level member shouldn't need to be technically competent, as long as they can do the job. The ability to do the job means that they know who to listen to and the correct questions to ask them in order to get the information needed. They should also be able to keep up with technology advances at a high-level.
An example is that at my previous company if one of the Storage support or design team had been running storage as a whole, we would never have moved away from EMC at all anywhere, we would never have stopped using mirroring. The person running storage knew which questions to as which people and we realised that we could do these things and save the company money.
They don't have to come from a technical background if they a) have the techies in the risk management meetings/assessments etc and b) Have an IT Security Manager under them...
but...almost every information security manager I know came up through the IT Security route. Mainly because it is easier to teach a techie how to do risk management than teach somebody who knows risk management about IT (which of course is not necessary if they meet the criteria stated above, i.e. if you don't have a an ITSec Manger then your InfoSec manager needs to be techie.
Far too many organisations (and people) confuse IT Security with Information Security. If you want to be CISO you need to know about information security management (assurance/governance, risk, incident AND ITSec) and have somebody technical in charge of ITSec.
The scope of InfoSec is much broader (including, physical, personnel etc) than IT Sec. It's the same scope difference as between IT Service Continuity and Business Continuity. BC covers more than just ITSCM and requires you to be good at risk management.
So yes - if you want to be good at InfoSec you need to be good at risk management.
The person who makes decisions such as which vendor to choose, which product to use, which architecture should be employed, that person needs to have an in-depth technical understanding of those things.
If the CISO wants to appoint someone who has the knowledge to make those decisions then that is fine. The problem I see everyday though is that "suits" make buying decisions based on pretty graphs and then the technical people who implement and use the security controls are stuck with products and solutions that don't work.
What I see is that not even "junior" or operations managers have the security and technical knowledge necessary to make effective decisions. That might be OK if those managers are just making staffing, financing, administrative decisions. But if they are making security and operational decisions then it is a disaster.