None of the top 10 skills state chief information security officers need to succeed include technological know-how.
That's according to a study - Cybersecurity Management in the States: The Emerging Role of Chief Information Security Officers - recently released by University of Kansas researchers and the IBM Center for Business in Government.
Researchers surveyed 18 state CISOs last year, and here are the needed skills the security officers rated as being high or very high:
- Communication and presentation skills;
- Policy development and administration;
- Political skills;
- Knowledge about the state government;
- Collaboration and conflict management skills;
- Planning and strategic management skills;
- Supervisory skills;
- Incident management;
- Knowledge of regulation and standards compliance;
- Risk assessment and management.
How valuable are these skills to these CISOs? As one CISO told the researchers, it's crucial ...
"... to articulate IT security and privacy technical issues in a non-threatening and clear/actionable manner to non-technical leadership."
CISOs needn't be political, but being grounded in politics helps, as one CISO explained:
"Having an understanding of political relationships between agencies/departments is also helpful. I do not personally get involved in the political arena but there are history and power struggles that impact what I do."
Tech skills made up the majority of the next dozen skills, which the CISOs deemed moderate to high in importance:
- Budget and fiscal management;
- Business process analysis;
- Security architecture;
- Systems security;
- Disaster recovery;
- Network security and firewall management;
- Identity management;
- Data and information management (classification, retention, destruction) ;
- Application security;
- Procurement of systems, software and services;
- Database security;
- Digital forensics.
The study's authors say different states require different skills for CISOs to succeed, but add that understanding how skills are valued in various state environments could help CISOs determine their professional development priorities.