Cybersecurity Insights: Misinformation About CISO Qualifications

Cybersecurity Insights: Misinformation About CISO Qualifications

Cybersecurity Insights: Misinformation About CISO Qualifications

The cybersecurity industry had challenges with bringing in new blood and facilitating career growth. 

Misinformation has unfortunately played a part in making various roles appear unattainable, when we should be doing the opposite. We should be embracing flexibility, identifying opportunities, and most of all discussing realistic expectations and roles.

I stumbled upon an article titled “Know more about colleges, jobs, and courses to become a CISO” where they outline the role and qualifications for Chief Information Security Officers. I was shocked at the inaccuracy. 

Here is my rant in video form.

Dangerous Misconceptions

Who writes this stuff? I think many great candidates would be turned off by this and others, who have some of the listed skills would be surprised by how they are not applicable to the CISO role.

Let’s take a look at a few of the concerning ‘QUALIFICATIONS’ that CISO candidates should possess:

“Understanding of SMTP, DNS, HTTP, Network routing, VPN, and other technologies”

Nope, you have confused us with network engineers/architects. We know what these protocols, languages, tools, and architectures are, but likely would not be qualified to design, configure, troubleshoot, or readily determine the specifics if someone is abusing them. That is why we leverage highly specialized technical experts for configuration and comprehensive inspection.

“Understanding of Digital Millennium Copyright Act, trademark, intellectual property, Safe Harbor Provisions, GDPR, and other federal and international legal precedents…” 

You have mistaken us for our close partners, the lawyers and privacy experts. Each of these areas requires a high degree of expertise. Even a small error can become a big legal problem. CISO’s know these areas but are not experts. Again, we partner with others.

“Ability to read and analyze multiple log formats.”

I don’t know of a single CISO who spends their days analyzing logs. That is a SOC level 1 or level 2 function. Important, but the CISO’s time is not well spent on log analysis!

As a kicker, the author has signed us CISO’s up to make “a framework for risk-free and scalable operations “. Risk FREE?!  Wow, good luck with that. 

The proper function of a CISO is to manage risks to an acceptable level. We cannot eliminate all risks. Even if it were technically possible, which it is not, it would be infeasible due to extreme cost and added friction for users.

I call all this out because misinformation is harming our industry by setting inaccurate expectations. We must clean up job descriptions and clarify the actual roles and responsibilities of positions.  

For those interested in more of my rants, insights, and strategic viewpoints, take a look at my Cybersecurity Insights channel:

Share this article

Leave your comments

Post comment as a guest

terms and condition.
  • No comments found

Share this article

Matthew Rosenquist 

Cybersecurity Expert

Matthew Rosenquist is an industry-recognized pragmatic, passionate, and innovative strategic security expert with 28 years of experience. He thrives in challenging cybersecurity environments and in the face of ever shifting threats. A leader in identifying opportunities, driving industry change, and building mature security organizations, Matthew delivers capabilities for sustainable security postures. He has experience in protecting billions of dollars of corporate assets, consulting across industry verticals, understanding current and emerging risks, communicating opportunities, forging internal cooperation and executive buy-in, and developing practical strategies. Matthew is a trusted advisor, security expert, and evangelist for academia, businesses, and governments around the world. A public advocate for best-practices, and communicating the risks and opportunities emerging in cybersecurity. He delivers engaging keynotes, speeches, interviews, and consulting sessions at conferences and to audiences around the globe. He has attracted a large social following of security peers, is an active member on advisory boards, and quoted in news, magazines, and books. Matthew is a recognized industry expert, speaker, and leader who enjoys the pursuit of achieving optimal cybersecurity. Matthew Rosenquist is experienced in building world class teams and capabilities, managing security operations, evangelizing best-practices to the market, developing security products, and improving corporate security services. 

Cookies user prefences
We use cookies to ensure you to get the best experience on our website. If you decline the use of cookies, this website may not function as expected.
Accept all
Decline all
Read more
Tools used to analyze the data to measure the effectiveness of a website and to understand how it works.
Google Analytics