I was in Bratislava this week for an IDC Conference. During these kind of events I often talk to the press as well. Additionally I had this time the opportunity to talk to a pretty well-known blogger in Slovakia called Jozef Vyskoc. You may have a look at his blog (provided your Slovakian is better than mine J).
However, this was a very interesting experience to me as it was more a peer discussion than a real interview as Jozef knows a lot about security. During the discussion he was asking an interesting question: What is, in my opinion, the ideal profile of a Chief Security Officer? Is it more a technology profile, a business profile, a communication profile,…?
This was a question which made me think and I would like to get your view on this as well but let me start:
From my point of view a CSO needs a broad architectural view on IT. He/she has to understand the implications of a decision at a broad scale and has to be able to judge the corresponding changes in the risk model. Additionally the CSO has to have very good communication skills – and this is, where I see the biggest challenge in today's organizations. The CSO is an engineer, much too often, with great technology skills. He/she is able to discuss the very last bit of the specification of TCP/IP knows all the ports for all the protocols by heart and impresses the technology specialists on that side. The challenge is, when they have to go to the board and talk about risks: They explain the latest exploit to the vulnerability in an OS in a way the CEO has no clue what the CSO is talking about…
I know that this is not completely the case and I hope that nobody out there just got a mirror in front of his/her face but what I wanted to say is: The CSO has to have a very broad IT skillset and in addition some business know-how and finally very, very good communication skills. We have to be able to make the business understand the risks in their language. This is the only way the business can take their role in risk management and decide on the risk management strategy and the acceptable level of risks.
What is your take on that?