The best CISO isn't necessarily the technical-minded one: HP

The knowledge to understand exploits and vulnerabilities isn't necessarily what the modern-day CISO needs, and could, in fact, be a waste of a good resource.
Written by Michael Lee, Contributor

As Gartner argues that the boards should be listening more to the CISO for advice, rather than treating them as the defender of the business, Hewlett-Packard CTO for Enterprise Security Andrzej Kawalec believes that the modern CISO requires less of a technical background and more of a risk-oriented one.

Speaking to ZDNet, Kawalec pointed to the more balanced professionals that he sees as the new generation of CISOs.

"It's no longer just computer science, cryptography majors. We're seeing lots of lawyers, lots of people with MBAs coming in, social scientists coming in. They're really interested in privacy, the nature of relative security in organisations, and how you manage risk, not just in how many types of cryptographic [algorithms] and quantum physics you can apply."

Kawalec said that the role of the CISO has been ill defined, partly because it keeps changing in response to rapid technology changes, and that it doesn't necessarily require a technically minded individual.

This means that even though the CISO, which has been viewed as the person the board goes to for their technical matters, doesn't necessarily have to have technical expertise.

"Don't believe that you need to have an in-depth knowledge and understanding of specific security products, or the technology controls, or how a vulnerability would be exploited. That's not a good use of resources. You really have to understand what's the impact of this part of my architecture going down or being affected."

Although many organisations might look among their security operations managers for a technically minded candidate for their CISO, Kawalec said that it might not always be the best choice.

"I don't think that everybody needs to or wants to become a risk practitioner. [The] operational security manager is still one of the most important points in the process, in the value chain," he said, adding that the two roles have very different skills.

But there is an overlap, where Kawalec said it makes sense for the right candidate to be taught the skills to become an effective CISO.

"Lots of security managers will make amazing CISOs because they understand the infrastructure and they can help articulate that from a business risk perspective. I don't think it's fair to expect everyone to do both, just as I don't expect the CISO to respond immediately to a deep, technical query."

Editorial standards