Roger's Security Blog

As Chief Security Advisor of Microsoft EMEA - lets share interesting security information

The ideal profile of a CSO

The ideal profile of a CSO

  • Comments 2
  • Likes

I was in Bratislava this week for an IDC Conference. During these kind of events I often talk to the press as well. Additionally I had this time the opportunity to talk to a pretty well-known blogger in Slovakia called Jozef Vyskoč. You may have a look at his blog (provided your Slovakian is better than mine J).

However, this was a very interesting experience to me as it was more a peer discussion than a real interview as Jozef knows a lot about security. During the discussion he was asking an interesting question: What is, in my opinion, the ideal profile of a Chief Security Officer? Is it more a technology profile, a business profile, a communication profile,…?

This was a question which made me think and I would like to get your view on this as well but let me start:

From my point of view a CSO needs a broad architectural view on IT. He/she has to understand the implications of a decision at a broad scale and has to be able to judge the corresponding changes in the risk model. Additionally the CSO has to have very good communication skills – and this is, where I see the biggest challenge in today's organizations. The CSO is an engineer, much too often, with great technology skills. He/she is able to discuss the very last bit of the specification of TCP/IP knows all the ports for all the protocols by heart and impresses the technology specialists on that side. The challenge is, when they have to go to the board and talk about risks: They explain the latest exploit to the vulnerability in an OS in a way the CEO has no clue what the CSO is talking about…

I know that this is not completely the case and I hope that nobody out there just got a mirror in front of his/her face but what I wanted to say is: The CSO has to have a very broad IT skillset and in addition some business know-how and finally very, very good communication skills. We have to be able to make the business understand the risks in their language. This is the only way the business can take their role in risk management and decide on the risk management strategy and the acceptable level of risks.

What is your take on that?

Roger

Comments
  • Firstly, I don't have one hard and fast opinion about this, as my view changes as you adjust the parameters around the question: what size organisation is it; what is your pivotal customer base (internal, external); is the CSO position empowered, or symbolic (yes, I've seen this); etc. That said, here's my generalised summary.

    By the time one reaches the CxO level, it's more important to know how to find technical answers rather than necessarily memorising them - that's the objective of having non-CxO staff. You're not dropped into a CxO level to perform the same fundamentally technical task you had been, you're expected to enable business - whether that be through avenues such as reducing operational costs (such as in an internal IT shop), facilitating partner collaboration (not just communication) or responsibly advancing customer offerings.

    Whilst some of these responsibilities arguably lie moreso with the CIO, if as a CSO you're saying "no" more often than "yes" (even if it's "yes with caveats"), then you've missed the point of being at the CxO level. It's for your technical staff to argue "no" or "yes with caveats" based on the technical risk; it's for you to understand (emphasis on understand) that risk and to know whether that's enough to offset whatever business component it's being weighed against. If that component represents something as significant as an IT strategy, for example, then you need the ability to not just look at the here and now, but also comprehend what placing road blocks in place could mean longer term.

    As an important addition to understanding these concepts, it's even more important to be able to fluently communicate these factors and decisions to those around you - be they upper management or operational staff. This is actually where technical ability is still quite important: you need to be able to communicate with everyone on their level *effectively*.

    I was half tempted to stray into the other peripheral areas of knowledge you ought to have, such as financials, legal/auditory compliance, etc, but I think I've said enough to at least convey the idea that I believe it's more important at the CxO level to be in the possession of a firm grasp of business concepts than infinately in-depth technical.

    That said, please don't misconstrue what I've written for arguing that any Business graduate should make an ideal candiate for CIO or CSO responsibility. Oh my word, what a disaster that frequently is...

    Thoughts?

    Cheers,

    Lain

  • Hi Lain,

    sorry, I did not work over the weekend and therefore did not answer your question.

    If I get your post right, we pretty much agree: The CSO does have to have broad IT-related knowledge in order to understand th impact of certain decisions. In addition he/she needs very good communication skills on business level. There I definitly agree with you.

    I think your final comment is very interesting: I have never seen (yet) a real business person becoming the CSO. I have seen that - with a lot of success for a CIO but never CSO. I am not clear whether this would be goodor bad - I would probably argue against it unless this person already has sound IT skills. I would argue more for the other way round: An engineer with sound business skills.

    Roger

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment