An executive recruiter asked me recently if I was interested in a chief information security job she was trying to help a large government organization fill. Even though I'm not in the job-search mode, I'm always interested in hearing about new opportunities and often know friends and colleagues who are looking. So after I let her know I wasn't a candidate, she described the role, reeling off a long list of personal qualifications, certifications, academic degrees and professional experiences — a collection of requirements that would be virtually impossible to find in a single individual.
Over the years I've developed an intuition about the way people interview, and it became obvious that the organization didn't really understand what it wanted or even what the role of a CISO should be.
At the end of our conversation, the recruiter admitted that she realized her client was looking for a "purple unicorn," but the organization had gone through three CISOs in the past five years and those in charge of filling the job wanted to make sure they were establishing the right expectations at the beginning. That's an understandable concern, because musical chairs in cybersecurity leadership serve neither the organization nor the CISO well.
After I told the recruiter that I would ask around my network, it occurred to me that most of the recent CISO searches I've seen were casting about with the same kind of laundry list of purple-unicorn requirements. I thought about how much the CISO job has changed over the years and how my meager qualifications back in 2004 when I got my first CISO role wouldn't have even entitled me to an introductory call in 2020.
Twenty years ago, a CISO was expected to be a technical expert in all facets of the management of security operations within an organization. And that was a reasonable expectation because the technology and regulatory environments were fairly well bounded and fit on a single sheet of paper. Fast-forward to 2020, and the security world has become so complex, with such a vast array of competing technologies, nation-state and mob-like bad guys, and a dizzying array of regulatory and compliance requirements that being a comprehensive cybersecurity expert is futile. Managing risk is the name of the game today.
This will sound like heresy to some of my colleagues, but a CISO today cannot possibly be a subject-matter expert in all things cyber. "In theory, the CISO is an executive management position," says Gal Shpantzer, an information security consultant who provides virtual CISO services. "This implies a lot of experience and expertise in collaborating with peers, delegating to and consulting with internal and external experts at various levels, that requires both very technical and very bureaucratic skills."
If we look at this from the traditional perspective of people, process and technology, while technology certainly jumps out as the most dramatically changing facet of information security, people and process requirements have also been on a high-speed change trajectory. Nils Puhlmann, the chief trust and security officer for the business travel platform TripActions, says that "for most folks, 'cybersecurity' is a simple term often describing a simple problem — bad guys attacking devices, systems and data. But for CISOs, this simple term is actually a highly complex world of very different areas of expertise which they have to manage holistically without missing a beat."
One of the most difficult CISO challenges today is hiring qualified people and then retaining them in an environment where competition for their services is ruthless. Government organizations have an additional disadvantage in that they must compete for that talent when private-sector companies can offer a lot more money and other incentives. This means keen human-resource skills are necessary for today's CISO and something that needs to be teased out in the interview process. Personnel turnover costs are significant, so hiring right the first time is more important than it's ever been.
Process has become central in determining how a government organization addresses risk in a world in which meeting standards, regulations and compliance requirements consumes a huge amount of resources. Policies as disparate as the European Union's General Data Protection Regulation and the California Consumer Privacy Act, along with government requirements for vendor accountability in contracting and the vast array of other increasingly complex regulatory obligations, require both technology and business acumen. The process of working across the organization to establish security policy foundations that everyone understands and can comply with is no small matter. CISOs need communication, diplomacy and leadership skills that haven't historically been in the vocabulary of technologists.
Finally, and with respect to technology itself, there are well over 3,000 cybersecurity vendors in the global market today, offering everything from end-user device management to identity and access control, automation of security operations centers, insider-threat mitigation, cloud security and dozens of other categories of products and services. Most government organizations employ between 40 and 100 different vendor products and services, and it is impossible for a CISO to even know all of the different solutions in use in the organization, much less have expert knowledge of them all.
Cybersecurity is, and will continue to be, a highly dynamic environment where the threat reshapes more frequently than most of us can keep up with. My counsel to both CISOs and people hiring them is that those who might hold this position should aspire to be experts who can manage the complex individual specialty areas of security, rather than people with expert skills in any individual specialty area. That is, macro vs. micro, with the ability to achieve what the cybersecurity entrepreneur Rajeev Shukla calls "a zen-like balance" in managing the various strategic and tactical requirements of organizational security.
Governing's opinion columns reflect the views of their authors and not necessarily those of Governing's editors or management.