As someone with a C-level title in a security company, I get lots of marketing emails every day. And like many of my professional peers, I tend to delete them without much thought. However, a few days ago, I noticed something – a cluster of advertisements about the importance of cybersecurity fundamentals such as phishing and patching. I couldn’t help but wonder who they were marketing to, given that the targeted audience based on the tone and language seemed to be CISOs. After all, who in that role wouldn’t understand the significance of the basics? Then, I realized that there’s a persistent trend of non-technical, non-security professionals being “promoted” to the role of CISO. This begs the question – why do some organizations choose non-technical, non-security CISOs?
Generally speaking, the role of a CISO is to oversee the organization’s cybersecurity strategy, planning, and implementation. Traditionally, this role was reserved for security professionals with relevant qualifications and experience (historically a technical background, more recently legal, risk, or privacy). However, as the demand for cybersecurity professionals continues to rise, many organizations are struggling to find the right talent. As a result, they are promoting professionals from other disciplines such as finance, product, and operations to the role of CISO. While some organizations have found success with this approach, it has sparked a debate on whether non-technical, non-security CISOs are effective.
One of the primary arguments against non-technical, non-security CISOs is that they lack the technical know-how required to combat today’s cyber threats. Cybersecurity is a rapidly evolving field, and it requires continuous learning and upskilling. A CISO who lacks a technical background might not fully grasp the complexities of different cybersecurity threats and how to defend against them. As a result, they might not be able to develop an effective cybersecurity strategy for the organization.
However, proponents argue that non-technical, non-security CISOs bring a fresh perspective to the role. They may have a better understanding of the business requirements and thus align the cybersecurity strategy with the organization’s goals. In some cases, they can communicate complex cybersecurity concepts to senior management and other stakeholders in a non-technical language, which is crucial for gaining buy-in and support for cybersecurity initiatives.
Another argument against non-technical, non-security CISOs is that they might not have the credibility required to lead the organization’s cybersecurity efforts effectively. Typically, security professionals are fluent in and accustomed the larger cybersecurity community which makes it easier for them to work with external stakeholders such as regulators and auditors. However, a CISO who lacks a security background might not have the same level of comfort which could affect the organization’s overall cybersecurity posture.
On the other hand, proponents argue that non-technical, non-security CISOs can build relationships with other departments within the organization that might have been neglected by security professionals. They can work closely with stakeholders such as finance, product, and operations to ensure that the cybersecurity strategy is aligned with the broader organizational goals. Additionally, they might more easily build bridges with other departments to ensure that cybersecurity is part of the organizational culture instead of a separate function.
The debate on non-technical, non-security CISOs is ongoing. While some argue that they lack the technical know-how and credibility required for the role, others believe that they can bring a fresh perspective to the organization’s cybersecurity efforts. Ultimately, the effectiveness of a CISO depends on various factors such as the organization’s culture, its business requirements, and the cybersecurity landscape. Therefore, it’s essential to evaluate the qualifications and experience of potential CISOs and select the one that’s best suited for the organization’s unique needs.