Interview With an Expert: How Does a CISO Learn to Be a CISO?

The role of the chief information security officer (CISO) is quickly becoming more important as cybersecurity in general becomes more intertwined with companies’ business activities. This fact in itself is indicative of the versatile nature of this position.

To learn more about what qualities a successful CISO should have, it’s best to talk to one. Mr. John Hellickson, managing director, Strategy & Governance at Kudelski Security and former CISO at First Data Corporation, agreed to give InfoSec Institute readers backstage access to areas reserved for experienced security experts that exercise this profession.

1. What are the areas in which a CISO should be particularly experienced in order to be successful?

Mr. Hellickson: There are many unique factors in the CISO’s path to success, and they can be quite different across companies and industries. The role used to be seen as the company’s information security technology expert, often buried in the IT organization.

Today, at most organizations, the position prominently involves risk management. The CISO needs to fully understand their industry, establish a security vision for the company, and align their security program to the business’ goals and objectives. Moreover, communication skills are key, with the ability to speak the business language, while maintaining the capability to get in the technical weeds with the IT, Application and Development teams across the company.

At the same time, they need to demonstrate strong leadership skills and be able to influence others to manage risk, particularly when they don’t report up through their own chain of command. Since Security pretty much touches every part of the organization, the CISO becomes an asset when they manage to create a bridge between the technical approach and how they convey the positive impacts their investments and controls have on the organization.

Ultimately, the CISO must be (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Dimitar Kostadinov. Read the original post at: