The question “should a CISO be technical?” continues to pop up, and I wanted to weigh in. This question, for me, is highly personal as I have blazed my own trail with cyber security management and technical acumen over the last four years. I will rely solely on my personal experience as circumstantial evidence to add to the discussion, but other experiences will also help us determine the best pathway for cyber security professionals.
The Question. Many are asking, “should a CISO be technical?” The question is overly simple, so the best answers are highly nuanced. In my mind, the question relates to a somewhat specific hiring choice. When a company plans to hire a CISO, it must decide the correct set of qualifications for this person. Should the company seek someone with hands on certifications (OSCP, RHCA Security, CCIE Security, etc.) or even a computer science background? Are there downsides to hiring someone whose experience is solely managerial with primarily cyber management qualifications (CISSP-ISSMP, CISM, etc.)? I am choosing to invert the question, a method I find useful to think outside the box. Instead, I will ask, should a CISO be non-technical? In other words, should we, the information security community, develop our future industry leaders to be highly technical?
Rush to Management. In my own career, I was quickly rushed into management. I have spent every moment of my job at the US Space Force doing managerial and administrative tasks — scheduling meetings, making PowerPoints, writing point papers, or providing direction. I was asked to do this after a six month training for officers entering the cyber operations field, encouraged to jump in and “take charge.” Speaking up was encouraged; fighting hard was encouraged. The issue? I had no idea what I was doing. I learned the real details of cyber security on the side, and I only realized in retrospect my lack of knowledge.
Too Many Managers. Management is a logical advancement as people move along in their careers. I respect people who want to be managers, but there are too many of them in cyber security. In my career so far, I have been rewarded for presenting a lot of ideas. People can argue with ideas. People cannot really argue with progress. If your organization detected the SolarWinds attack early and minimized the damage, leadership cannot really argue with these successes.
What is Technical? Many people who are “technical” in cyber security may just be compiling access control policies, collecting security scan results, or working on other authorization documentation. This experience is great, but it is not really what I mean by technical. By technical I mean really fixing security bugs in software, configuring MAC in Linux, implementing a firewall, or similar, on-system activities. At the end of the day, we must perform these types of activities to actually secure a system. Everything else is just overhead. If you are not doing these activities, your work is really managerial or administrative albeit possibly “technical” on paper.
Negotiation. Cyber defense technologies are not everybody’s cup of tea. Endpoint products require system overhead, cyber defense infrastructure costs money, and audits or approval processes slow down production. Negotiation, unsurprisingly, is therefore the top skill which I have improved in the US Space Force. In addition to understanding risk principles, CISOs should consider negotiation their most important skill. Security has a negative value proposition: you are trying to prevent an outcome rather than create a specific outcome. Negative value propositions are an extremely hard sell, only great negotiators can enable this outcome.
Unicorns. I have argued that CISOs (and CIOs for that matter) need both technical and interpersonal skills. Some recruiters may think I am crazy, where will we find these unicorns? I am not saying that all cyber security professionals need all of these skills. I myself did not have these skills when I entered the industry. The Air Force took a chance on me and helped develop these skills. I am saying that we should groom our workforce to become these unicorns. Our future CISOs must be both highly technical and superb business leaders.