There is no doubt that the role of the CISO is to be a thought leader in the area of IT security, but that is where the agreements end and the debates begin.
As security has become more important to organisations, and security minded people continue to bubble up the importance of security issues to senior leaders in an organisation, the role of a CISO takes on a form of its own that is specific to the company.
This means that CISOs have different focus areas that they need to specialise in depending on the culture of the specific organisation they serve.
There is nothing wrong with this. In different organisations, most job functions including CFO, COO and even the CEO will vary with some degree.
But, at some point the varying amount of differences will make it hard for an organisation to hire the right kind of CISO. That same organisation may not even know what they need.
Here are some critical functions that a CISO needs to be able to perform to be an effective leader. This is not meant to be an all-inclusive list, just one for readers to decide if these items can be effectively accomplished by a technical or non-technical individual.
The right person needs to be given breach responsibilities and needs to act quickly and in the best interest of the company when something does go wrong.
This should entail the ability to know when a company has been breached, at what level and with whom the communication of the breach event should be, what the immediate actions are that need to be taken to properly protect the organisation, and what steps should be performed to contain the breach.
Ultimately all of this would either roll up under the CISO or performed by the CISO directly.
As a company progresses forward in business, new technology can help with innovation by bringing new products to market, improving on existing products, opening up new revenue streams or modernising existing ones.
An organisation that is dedicated to ensuring that their customers and data are protected will typically rely on some entity to help them build or implement secure infrastructure. This can include implementation of new technologies into the monitoring capabilities of security operation centers, or the selection of specific technologies that are more secure than others, but all the while helping to enable the business.
The security team's function could be implementation or just be a validation that chosen technology complies with security policy. A CISO and his or her organisational leaders need to be able to direct technical staff to ensure business objectives and risk tolerances are met.
Further, a CISO must be able to speak to senior members of an organisation and, in some situations, a board of directors.
This is no easy task, as the person filling the CISO role needs to be able to articulate complex technical issues and risks effectively and in a way that is clear, quick to the point, can be well understood, and does not cause any unnecessary panic.
Not only does the CISO need to be a good communicator at this level, but they also need to ensure they understand their audience and make the right decisions on what to bring to their attention. Most often then not, a CISO may only get a small amount of time every few months to be in front of a board. They need to know how to make it time well spent.