With all the frustration boiling about Equifax's security head being unqualified, and as someone who isn't a security expert myself, I'm genuinely curious about what a head of security needs to know in order to do their job effectively.
1.) Politics - ability to negotiate, ability to convince. Experience with management - ability enforce the rules and create organization that follows them. Ability to write down understandable rules. (There is no security if employees dont follow the instruction and share passwords with each other.) That means creating structures for employees learning including lessons etc, understands incentives, knows how to verify things are done the way they should.
2.) Politics two - ability to plan, think ahead and gauge risk vs cost (unless you are CIA you dont aim for zero risk). Follow up plan, have plans about what to do after incident including PR and know that such plan is needed.
3.) Knows big picture security. Knows various standards, what they are good for, how much they cost, their weaknesses and whether they are good idea for your company. Understands what rules in those standards are for and whether they apply.
4.) Lower picture security - knows what is pen testing, intrusion detection a bit about networks etc etc. Does not need to be expert and configure the stuff from top of head, but needs to understand what his/her people are talking about when they talk. Needs ability to distinguish between bullshit and fact.
Being good in politics does not imply avoiding conflicts. It implies effective approach to them. Most importantly, ability to diffuse the conflict and ability to find solution that satisfy multiple parties is not conflict avoidance - it is rational approach instead of emotional angry one. The direct angry confrontation is sometimes part of conflict solution too, if you have that kind of personality, but even there you need to control yourself enough not to make complete fool out of you - and know when not to do so. Which is pretty easy for angry people.
The other part of politics is understanding what other people are up to and why they are doing what they are doing. Knowing who can make decisions, who can be trusted in what, who is stubbornly refusing change and thus it is waste of time trying to convince him etc.
I would say instead, "Manage conflicts". That is, be able to constructively disagree with management above, below, and at your level, manage a reasonable discussion while advocating strongly for your position, and accept defeats and later "told you so" moments with grace and class.
Amongst others, people skills. Excellent written and spoken communication skills, good presentation skills; the ability to explain to people why they have to be so inconvenienced and ideally make them want to. Flexibility and compromise; empathy and understanding and the willingness to relax security restrictions in the right circumstances.
The biggest obstacle to security is the people you're trying to keep secure. If you don't get them on side and keep them on side, they will subvert security themselves from the inside. Get them on side and keep them on side and they themselves will identify opportunities to improve security that might otherwise be left open forever.
They must have a strong network in the industry, so they can hire and poach the best from their network.
They must know how to hire. They are not going to be the ones that are doing the actual work so they need a competent team.
They must know enough to listen and make decisions. It's not enough to have a team if you won't listen to them. You must be competent enough to listen to them that if someone comes to you and asks for $100,000. You can gauge that it's a smart spend and authorize it quickly. Security is not one of those things you can sit on and wait on.
- A good understanding of Functional IT, knowledge about typical Systems and Processes in an Industry(BFSI/Tech/Life Sciences), what sort of things are being protected from hackers (Windows Heavy Environments/MacOS Heavy Environments)
- Must have hands-on knowledge in Network Security and the tools/processes being used in a company
- Must understand Regulations related to the Industry (For e.g: HIPAA)
- Must have atleast 10 to 15 years of experience in 3 or more areas of Security like - Network Security/SOC , Audit/Compliance, Risk Management, Sysadmin/Network , Security Engineering.
* A solid understanding of security technology. I don't expect a CISO to be able to field-strip a firewall or jump in and take the place of one of her line analysts, but I do expect the CISO to understand firewall technologies and talk intelligently about why they're important. One of the CISO's jobs is advocating for security controls with other business organizations, which necessitates the ability to talk intelligently and in layman-understandable terms about what those controls entail, what those technologies do, and why they're important. A CISO who doesn't understand what a digital certificate is will have a hard time arguing for protecting them or will accept weak protections because they sound stronger than they are. Worse, a CISO who doesn't understand security solidly may call for implementing controls that don't make sense or that don't afford any protection, or will focus too heavily on one area while neglecting another. The amount of technological know-how in the CISO will likely vary according to company and org size: the CISO of a small company will likely also be the security person and therefore should be very security-tech-savvy; the CISO of a large corporation will likely be much further removed from the console glass because their scope is much larger. In the latter case, you would expect the CISO to have a solid organization of very security-tech-savvy people to whom the CISO would listen closely and trust to make good recommendations. (This latter part seems to get overlooked.)
* CISOs must understand risk, and be able to articulate it in a balanced picture to non-security people. CISOs who always say no and couch risk in the most apocalyptic terms are actively disabling their companies; CISOs who always say yes and couch risk in the gentlest terms are setting their company up for Equifax-level failures. The old saying is "A ship in harbor is safe, but that's not what ships are for"--the CISO needs to be able to let the ship sail when appropriate while still pointing out the reefs on the map.
* Along similar lines, the CISO needs to understand her particular company and its industry well. If you don't understand what makes the company money, you may wind up arguing for controls that cut profits or hinder business. CISOs also need to understand and anticipate trends in their industry and as a whole. Cloud, containers, agile development, devops, these are all huge trends in the industry right now, and a good CISO will see them coming and have considered where to fit them in (or where to say "nope, can't do that (right now)...and here's why") so when the business pops up and says, 'We want to do that!' she can explain what's possible, what's reasonable, and where the risks are for their particular business. A healthcare company with extensive HIPAA and Fedramp regulations is going to have an entirely different approach to the cloud than a software-focused startup working on a new social media solution!
2.) Politics two - ability to plan, think ahead and gauge risk vs cost (unless you are CIA you dont aim for zero risk). Follow up plan, have plans about what to do after incident including PR and know that such plan is needed.
3.) Knows big picture security. Knows various standards, what they are good for, how much they cost, their weaknesses and whether they are good idea for your company. Understands what rules in those standards are for and whether they apply.
4.) Lower picture security - knows what is pen testing, intrusion detection a bit about networks etc etc. Does not need to be expert and configure the stuff from top of head, but needs to understand what his/her people are talking about when they talk. Needs ability to distinguish between bullshit and fact.