What Makes A Good CISO?
- Brainz Magazine
- Oct 11, 2022
- 3 min read
Updated: Feb 21, 2024
Written by: Anna London, Executive Contributor
Executive Contributors at Brainz Magazine are handpicked and invited to contribute because of their knowledge and valuable insight within their area of expertise.
There have been multiple articles and opinions regarding what makes a good CISO? The question that we should be asking is what makes an effective CISO?
Let’s start by differentiating between myth and truth.
Myth No.1: CISOs are required to have a technical background.
Truth: Most CISOs in positions today have never held a technical position where they have had to build and protect infrastructure as an engineer, analyst, developer or sysadmin.
Myth No.2: CISOs are required to have a technical degree in IT or Cyber Security.
Truth: Most CISOs in today’s positions in both commercial and government organziations have degrees in mathematics or business, not in information technology or cyber security.
Myth No.3: Industry Certifications like CCISO, CISSP, Security +, Network +, CEH et al. make you a subject matter expert.
Truth: If you are a good test taker, you can study for the exam and pass it. Many college and trade school boot camp grads learn how to study for exams and pass the test with little to no hands-on experience in cyber security or IT. These industry certifications do not make us experts ‒ only years of hands-on industry experience can do that.
Myth No.4: Having held a prior CTO/CIO/CISO position qualifies you as a cyber security expert.
Truth: Most positions at this level are given to a privileged set of men in a “good ol’ boy” network. It is not given based upon past performance qualifications in an actual technical position where the application of cyber security prevention mechanisms are paramount. It is who you know and clearly not what you know.
Myth No.5: Start up CTO’s are experts in cyber security and building secure applications.
Truth: This could be furthest from the truth. Most start up CTOs can barely spell or build (MVP) minimum viable product much less being able to secure the very applications they are putting out in the public domain irresponsibly through mobile app stores like Apple and Google. Security is an after thought with most start ups. VCs and Angel Investors want MRR and DAUs and are not measuring the quality of applications nor taking into account the security of the very applications they are investing in to ensure the data being processed, stored and transmitted through these platforms are secure and remain secure.
Myth No.6: Being a good visionary is all that is required for a good CISO/CTO/CIO.
Truth: I have witnessed many organizations where there is a good IT Strategic Vision with great ideas, but ideas are not enough. You have to know how to translate that vision into actionable and sustainable steps. This is the part that is lacking at many organizations so many great ideas never see the light of day because leadership lacks the skills to see them through.
CISOs/CTOs/CIOs are accountable and responsible for managing the resources (budgets, people, processes and technology) with regard to corporate and application security compliance. How on earth are we to expect adequate protection of data at organizations and corporations if the people at the top do not have a strong technical acumen in order to ask the right questions and manage resources effectively in order to implement strong defenses? Having a business background is not enough. It is analogous to a professor that has spent their entire life span in the classroom teaching MBA programs yet never owning a business themselves. Knowing theory and keywords is not enough to be an effective leader in the cybersecurity industry. Prior and current hands-on knowledge is the key to success here. You can “rely” on team resources all you want for answers as a leader. However, in today’s world, where imminent threats to data is paramount, you cannot replace theory with hands-on practice needed for leaders in IT/Cyber to be effective in reducing and/or eliminating data breaches. Proactive prevention is the key through hands-on knowledge on how to implement best business practices and manage your people, processes and technologies effectively. There is a business risk and a cyber risk. BOTH are equally important and BOTH qualifications should be taken in consideration when hiring a CISO/CTO/CIO for your organization.
Anna London, Executive Contributor Brainz Magazine
Anna London is an US Army Veteran, Colon Cancer Survivor, Educator, Cyber Security Expert, Entrepreneur.
