There’s also a laundry list of expected technical skills: Beyond the basics of programming and system administration that any high-level tech exec would be expected to have, you should also understand some security-centric tech, such as DNS, routing, authentication, VPN, proxy services and DDOS mitigation technologies; coding practices, ethical hacking and threat modeling; and firewall and intrusion detection/prevention protocols. And because CISOs are expected to help with regulatory compliance, you should also know about a host of regulations that affect your industry, including PCI DSS, HIPAA, GLBA, and SOX.
But technical knowledge isn’t the only requirement for snagging the job — and may not even be the most important. “Effective CISO’s are by their nature cross functional and blend technical expertise with an understanding of the business,” says Ralph Pyne, CISO for Apollo.io. “Security teams frequently have limited budgets so practitioners are well versed with the ‘do more with less’ approach that makes them trusted by the finance team.”
Much of a CISO’s job involves management and advocating for security within company leadership. IT researcher Larry Ponemon, speaking to SecureWorld, said that ”the most prominent CISOs have a good technical foundation but often have business backgrounds, an MBA, and the skills needed to communicate with other C-level executives and the board.”
