Traits of an effective CISO

Top-notch IT skills are just a starting point for a would-be CISO. (Credit: Vertigo3d/iStockPhoto)
 

Business acumen and communication skills are two major requirements for anyone eyeing the position of chief information security officer (CISO), headhunters told Computerworld Hong Kong.

“A CISO needs to engage with the board and he needs to engage with business leaders to say yes or no relating to certain ways of doing that. So they’ve got to be able to reflect that. They have to be business-minded,” Nick Marsh, managing director of Meraki Executive Search & Consulting, said.

Fiona Fung, senior consultant – IT Commerce Division at Robert Walters Hong Kong added that communication skills also rank high in a CISO’s job description.

Fiona Fung, senior consultant – IT Commerce Division at Robert Walters Hong Kong
Fiona Fung, senior consultant
– IT Commerce Division,
​​​​​​Robert Walters Hong Kong

“It has become a senior executive position where the person to articulate business risks of cybersecurity threats to a non-technical audience,” she said. “The successful candidate is expected to be very aware of the legal, regulatory and privacy issues around different cybersecurity areas.”

And because a CISO has to get senior management buy-in for his initiatives, the ability to cohesively convey complex scenarios and messages in a clear manner is a must have trait for applicants for the job.

“They should have good negotiation and confrontation skills and it would be good if the candidate has a good integrity trait,” said Fung.

With Hong Kong’s short supply of CISOs, both Meraki Executive Search and Robert Walters dipped into the talent pool outside the city to fill vacant positions.

“There are a lot of security experts from overseas coming to Hong Kong. When they are here and they are good, they get stolen elsewhere – sometimes within their own company, going from being an ‘Asian’ person to a global person based somewhere else,” Marsh said.

Marsh added that companies should consider hiring a person who is a first-time CISO.

“It is about an evenly balanced assessment of skills, capability, fit and so on. You clearly made an appointment to any role based upon who is the right individual for that. Ultimately, you’ll get to a point when you have to appoint somebody into a CISO who may not have held the position before,” he said.

In the years ahead, Marsh expects the talent pool for local CISOs will grow as local universities begin churning out more graduates who specialize in cybersecurity.

However, Ricky Woo, convenor of the Cybersecurity Specialist Group at the Hong Kong Computer Society, said technology skills alone are no longer enough.

“The salary of a CISO has increased dramatically in the last two years by more than 50%. So a lot of would-be university students are now taking their exams with an eye on becoming cybersecurity professionals,” Woo said.

“Even with more supply, Hong Kong employers have to make sure that a would-be CISO fits their requirements. Selecting a CISO today is a complicated task, it is not just about finding a firewall operator or some generic techie,” he concluded