Does the CISO role need to be formalised?

18 security experts share their views on whether the role of CISO should be more regulated

Jason Hart, CTO of Gemalto, is on a mission. He wants to formalise the role of CISO. “If I want to be a CFO I need various qualifications,” he explains over the phone. “If I want to be a CISO that isn’t the case.” He believes the role of CISO should be formalised – like an accountant – with mandatory regulations and training. “This doesn’t need to be complicated,” he stresses. “The simpler it is the better.”

The position of CISO is a difficult one though. The business importance of this individual has changed rapidly over the last few years and some see the position as a classic short-term fall guy – ready to be fired with the first breach. Hart says to do the job well you need someone geeky, good with people and good with business processes. “The dynamics of a CEO, if you like.”

“I was an ethical hacker,” he adds “and every successful breach came down to understanding the business process and understanding the level of risk.” He believes this means that while being technically savvy is a useful skill for CISOs to have, the most important thing is to understand business processes. “If you come from a non-technical background [you might be better at] engaging the board members.”

It is the fluidity that comes with the role, however, that many individuals see as a challenge to regulation. Ian Platt, Co-founder and President of Bromium tells me, when I meet him in London, that he thinks “as an industry we’re too early for this”.

“A lot of policy is wrong,” he says “offering the example that 95% of contracts [specifically state you must run anti-virus on every machine.” 

It is certainly true that any regulations that do come into place would need to cover a lot of ground and would need to be regularly updated. And interestingly, the US National Association of Corporate Directors (NACD) has come up one non-mandatory solution – which may get the ball rolling – with the recent launch of its first board and director level cyber course.

Whatever your personal views though, this is pertinent topic, and one that is likely to get raised more and more over the coming years. So, with this in mind, I asked a range of professionals to come forward and comment about whether they thought the CISO role should be regulated.

To continue reading this article register now