Tech vs Business in the CISO role.
This debate has been going on since I became part of the cyber security industry nearly 6 years ago.
And we are still having the same discussion...
We are caught in a paradox.
On one hand, we need people who can navigate the intricate web of technical challenges. On the other, there's a need for leaders who can steer the ship from a business standpoint.
The problem is exacerbated by the industry's infancy, we have a blurry blueprint for 'success', vast pay scales, and job titles that seem to be out of sync with the responsibilities they should match.
The mismatch between job titles, their respective duties and compensation is a fundamental problem that undermines the effectiveness of cyber security leadership.
And to be clear this isn't just about pay and prestige; it's about clarity and the capacity to deliver security while also driving business value.
So where do we start.
I very much hold the opinion that the further you climb the CISO career ladder the less your job is about cyber security. Nothing will change my mind on that. I have spent 1000s of hours with Fortune 500, FTSE 100, & Cyber Security Execs. Who are all very much business leaders before security leaders.
Yes, technical know-how is indispensable, but it's the tip of the iceberg. The true measure of a CISO's worth is their ability to translate complex cyber security lingo into the vernacular of the C-suite.
I used this analogy before – A pilot doesn’t know how the fuselage of a plane is built. And even if they did, it probably doesn’t help them be a better pilot.
I know it depends.
The CISO role isn’t binary and different businesses have different needs. But this doesn’t mean you give people job titles, responsibility, and control that don’t match up. And I think this is where the industry has a big problem.
Recommended by LinkedIn
How can we have CISO job titles, with engineering responsibility & analyst pay? It just doesn’t make sense.
There will always be smaller businesses that can’t afford a CISO, which is fine, in fact if a company were hiring a CISO, and they had a proper CISO job description, but the pay was awful at least they're going in the right direction.
That then becomes a financial constraint, not an issue with understanding the role.
Now when I say “non-technical” I don’t mean someone who has no idea what cyber security is, of course you need a high-level understanding of the fundamentals. Should you be able to roll up your sleeves and start coding. No. Would it help if you could? Sure, it might but this is not what a CISO is.
Ultimately, we need people who can communicate with C-Suite and elevate cyber security. It's not a question of tech vs non-tech—it's about how you help the business move forward. We need to cultivate CISOs who can appreciate the nuance of technology but have their sights firmly set on the horizon of business impact.
There is room for everyone. One thing we do not have enough of is strong security leaders who are changing the way businesses think about cyber security. We need more thought-leaders and influencers who are inspiring our industry to do better.
My final thoughts
In the end, we need our industry to move forward, be it technical or not, you need to support sustainable business growth. You must be able to communicate to both the people in charge and the rest of the business.
I think in time we will see a shift in the way companies see cyber security, my hope is that as the threat landscape continues to grow, businesses will be forced to acknowledge that cyber security leadership is a fundamental pillar of success.
There is so much more I could say, but I will save some for another blog.
If you want to have a deeper discussion, connect with me and drop me a message!
Chief Product Officer & Co-Founder at Kovrr
10moWell said. Business acumen is not an optional skill for the CISO nowadays, especially in light of recent regulations. The boardroom speaks in ROI, and if CISOs can translate cyber risk into not only broader terms but also financial terms, then they'll be able to drive strategies that lead to business resiliency and positive outcomes. The analogy to the pilot is great, and what these more communication-savvy CISOs can do is build strong, technologically oriented teams that can complement the areas the CISO might be lacking. Great article.
Proven Information Security and Risk Management Leader | Board-Level Advisor on Governance, Risk, Compliance and Privacy | ISO 27001 | CISO | vCISO | CRO | Shaping Secure and Resilient Enterprises Globally.
11moWell said Joe. Some larger companies also include a Business Information Security Officer (BISO) as part of the security setup. The role for this person is more aligned to Business than the Technology side. This makes sense in some types of organisations like IT service providers where the BISO although belongs to the CISO organisation, is embedded in the service delivery teams (which are quite often industry verticals focused) to manage cybersecurity requirements and queries related to the clients being served by that team. On the other side, the BISO keeps the CISO updated in the business side of things. Of course, each organisation needs to take their own needs into consideration.
Strategic Business & Organisational Development | Cybersecurity Transformation | Business Secure by Design | Cybersecurity Culture Change, Communication & Learning | Certified Coach (ICI)
11moI completely agree with you. I live in Sweden and all the coming EU directives (turning into national laws) are aiming towards increased business resilience and continuity. The underlying message is clear: our focus need to switch from security (mainly tech) to resilience and continuity (business capabilities). I think it’s fair to say that a c-suite role, responsible for resilience and continuity, need both business and organizational development skills. Even if the area of responsibility is narrowed down to cybersecurity, the goal is not security. The goal is to maximise the value it brings to the business (ability to stay up and running and bounce back). What puzzles me though, with all coming laws requiring security culture and organizational development/change, is that most job ads are looking for cybersecurity or information security specialists. So even when the role description is anything but technical, they look for a tech specialist. I believe it is the same for most CISO ads. And we find what we look for, but not the result we’re after. 🙂
Experienced Security leader with a passion for inclusion & diversity in tech
11moFantastic insight as always Joe! Your points are well made, while seeing both sides. I firmly believe we need more business leaders in CISO roles, and that requires us to be more creative in how we are developing future leaders and where they are sourced from. This is another opportunity for disruption and to help improve diversity (in its many forms). Keep the great content coming!
Cybersecurity Executive | VP Citi : Infrastructure Defense Engineering SASE | Zero Trust | Cloud Security - CNAPP | GRC | Blockchain | Independent Board Director (NED) | Adjunct Lecturer | Open Networker 🌏 ✨
11mo💯agree. The only thing I’ll add is if you’re able to find that blend of both business saavy and technical experience then you’ve hit the jackpot with any CXO not just CISO. I’ve seen so many times C Suite with great plans but unable to execute successfully - making decisions based on analyst reports which they don’t understand so there is a dire need for this blend IMO.