(Full disclosure: This article firmly plays to my personal skill sets and career progression. Wherever possible, I have attempted to correct for my own bias)

There has been a great deal of swirl lately regarding the topic of Chief Information Security Officers and what skills and/or qualifications are needed to position the organization for the best chance of success. On one end of the continuum, the existing pool of executives is brought in with highly-attuned business acumen. Perhaps the person has a Big4 consulting pedigree, an MBA from a well-respected university, and has forged relationships with other executives throughout social functions and other work arrangements.

On the other end of the continuum, an emerging trend suggests that when it comes to protecting assets, forging relationships, and establishing trust among stakeholders and board members, that the appropriate candidate should be well-versed in technology concepts and actually rise up through the information security ranks. The popular justification is that without understanding the threat landscape and actually having “dirt under the fingernails”, how can one fully anticipate and connect with the people that are the front lines in protection. I find it difficult to argue this justification; this suggests to me that business is in the midst of discovering that the proper approach is to seek balance and resist the temptation of moving the slider too far to the business-end of the continuum.

On Friday, November 4th, Security B-Sides Atlanta will be holding a panel discussion on this very topic. Participants include Dave Kennedy, CISO for Diebold, a Fortune 1000 company, as well as Rafal Los, Enterprise Cloud Security Strategist at HP. Those people within the community that have been observing from a distance would suggest that these two are on opposite ends of the spectrum on this topic. However, I am going to go out on a limb here and suggest that their philosophies are actually closer to converging than diverging.

Other professions have had this debate before, and we can draw parallels from the military as to whom makes the best general, or from the football field as to whom makes the best coach. As information security continues to maturate, it will be the practitioners—not the other executives—that determine the right combination of skill sets needed to be successful in an executive role. In other words, I am suggesting that currently, the business-pedigreed CISO is the safer perceived choice, not necessarily the better one. You see, the statistics are beginning to bore out a frightening pattern when it comes to protecting information assets: the trend is getting worse! More and more companies are getting breached under the watch of the business-focused CISO, suggesting a disconnect between theory and reality.

Sooner or later, information security practitioners will begin to realize that the effort required to move the continuum from the hardcore technical to business is not as great as once perceived. Simultaneously, those business-focused executives that are forced to become more technical will find the path much more difficult than anticipated. This will present some interesting discussions for businesses, as they struggle to determine the appropriate combinations for their respective needs. As anticipated, it appears that the optimal combination is not black or white. I think what can be agreed is that the role of the information security executive in today’s challenging climate should be reevaluated.

What do you think?