In this changing world, the new CISO needs to understand how information security can empower an organisation to meet its strategic goals. Equally, they must understand how it can make or break the organisation. They may also need to help the organisation move from compliance and crisis-driven strategies towards a more mature risk-based approach, where they spend more time reducing future risk and less on mitigating current threats and regulatory issues.
https://www.fieldengineer.com/skills/certified-wireless-security-professionalA strategic mindset is required in order to be able to look at the changing threat landscape, understand the implications of developments in technology and working practices, and be able to interpret how this will affect the organisation.
CISOs must be allowed to assume a business-leadership position, dispelling the idea that security is a technology and support function. Strong communication skills are paramount, with the ability to influence at board level to ensure appropriate programmes are realised to maximise and prioritise best use of available resources. Where they should be positioned within the organisation will depend on the existing structures, but to work effectively there should be a dotted line to the chief information, risk and finance officers.
In addition, they must ensure that information security permeates the organisation. This ranges from understanding the information risks posed by new and existing ventures, developing secure systems and infrastructures, maintaining appropriate controls, implementing governance structures, and evangelising a strong security culture across the organisation at all levels.
It is a task that some, including the UK Government in its 2011 Cyber Security Strategy, are now calling information assurance. It represents maturation from IT security through information security to information assurance.
All this requires analytical, organisational, technical and communication skills. It is unlikely that one person will be able to cover everything to the level required, so the CISO must be supported by an effective team of security professionals.
These professionals will, of course, have varying skillsets – specialisation increases as the environment becomes more complex – so it is important to understand what you are looking for. A highly technical developer or penetration tester may not be the best person to evangelise a security culture, say, while a risk analyst may not be the best person to configure a complex firewall.
Larger organisations can generally support larger teams with a wider range of expertise. However, even here it may be more appropriate to buy in specific expertise that is expensive to maintain and only occasionally needed, such as forensic analysis and penetration testing.
Similarly, smaller organisations may need consultancy to help define strategy and good process. Whether employing individuals directly or using third parties, it is important to ensure that the recruiter or contractor is supported by someone that understands the skills being offered – and to seek assurance through accreditations, recommendations and references.
So how do you identify a good practitioner? The Institute of Information Security Professionals (IISP) has been providing accreditations for a number of years. The model it uses works on the basis that a security professional has deep and demonstrable knowledge; it therefore expects accredited members to demonstrate that they have invested in themselves through training courses and qualifications, such as a Master’s degree in information security.
They also need to demonstrate that they have effectively applied this knowledge within the working environment and evidence their depth of knowledge. Finally, they need to show that they can work as a professional within an organisation using skills such as team working, leadership and corporate behaviour.
The accreditation is rigorous carried out through peer review by existing member, and includes an in-depth interview for the higher full membership level. Criteria are measured against the IISP skills framework which was developed through public and private sector collaboration by world-renowned academics and security experts. So when employing security professionals you need to ensure that you measure against these criteria and “know what good looks like”.
Com