Is there such a thing as a “hands off CISO”? No. There is no such thing. In the debate around what the CISO does and does not do, what they are and they aren’t, there is no room for a choice between “hands on” and “hands off.” This is isn’t an issue of who punches keys, rolls up their sleeves and configures firewalls. That’s not what I mean here. The point here is that for a CISO to do what a CISO does, they must do more than be an executive managing resources.
The CISO cannot be just the person who manages the projects or the budget. Those are project managers and budget managers respectively, and it’s not that the budget and the projects don’t matter. Nor can the CISO be solely a subject matter expert on one narrow security field. That doesn’t mean a crack network security engineer can’t become a CISO, but it means when they do, it is because they have grown beyond their discipline.
In fact, when the National Research Council’s Committee on Professionalizing the Nation’s Cybersecurity Workforce discovered how diverse the skillsets where for that workforce, they reached a few odd conclusions. In their 2013 report, Professionalizing the Nation’s Cybersecurity Workforce? Criteria for Decision Making, they wrote:
- Conclusion 3. The cybersecurity workforce encompasses a variety of contexts, roles, and occupations and is too broad and diverse to be treated as a single occupation or profession. Whether and how to professionalize will vary according to role and context.
- Conclusion 4. Because cybersecurity is not solely a technical endeavor, a wide range of backgrounds and skills will be needed in an effective national cybersecurity workforce.
In other words, to be at the top of this “wide range”, the successful CISO must represent that diversity of disciplines.
To be more specific: the CISO has to combine the two triads of overseeing the technical, physical and administrative safeguards that protect the confidentiality, integrity and availability of the Enterprise’s information systems and assets with a third triad related to Enterprise Risk. Concern for that triad of risks- reputation, financial and regulatory/contract compliance- is what accounts for the CISO needing to be so broad in their “focus.” A “broad focus.” That’s the CISO’s oxymoron.