The message in recent years to chief information security officers (CISO) and chief security officers (CSO) is that, “it’s not enough to be a geek.”
What is still to be determined is whether a training program – even a good training program – is all it will take to make them more than geeks.
Clearly, there is a perceived need. While CISOs in many organizations are part of the so-called C-suite, surveys show they are generally held in low regard by their C-level colleagues, who think their skill set is too narrow, that they are unable to “speak the language of business,” and are most useful as a scapegoat in the event of a data breach, not as a strategic participant in business decisions.
A survey conducted by ThreatTrack about a year ago found that 74 percent of the 203 C-level executives surveyed thought CISOs didn’t even deserve a seat in the executive boardroom.
Things apparently have not improved much since then. ThreatTrack, in a follow-up report this past June said that while CISOs had made some progress, they still had a long way to go, with other C-level executives expressing, “serious doubts about their CISO's leadership abilities and understanding of business objectives outside security.”
Some things have changed, however: There is a greater awareness of the problem, and a number of vendors are offering to help fix it.
More than a year ago, the 2014 RSA conference offered a half-day session, “discussing the many aspects of business that affect CISOs, from audits to understanding employee behavior and dealing with boards of directors.”
In June 2014, Deloitte Cyber Risk Services launched what it calls an, “immersive CISO Transformation Lab,” designed to elevate CISOs from simply, “technologists and data guardians into business-minded advisers and strategists.”
And Yuri Sagalov, CEO and cofounder of AreoFS, says he has helped a number of CISOs and CSOs prepare for what he calls “question overload” in the corporate boardroom.
Yuri Sagalov, CEO and cofounder, AreoFS
But is training, even if it is “immersive,” enough to transform techies, or geeks, into business leaders? A cover story this past June in Time magazine titled “How high is your XQ,” suggests it may be more complicated than simply absorbing some new information or developing a skillset.
Time reported that an increasing number of employers are using personality tests to screen applicants, in the belief that raw qualifications are not enough – that people also need to be a good “fit” for a job, in areas like temperament, personality and aptitudes.
But several IT experts say that while it will take some effort, CISOs can indeed adapt to functioning well as business leaders.
Sign up for Computerworld eNewsletters.