Industry Perspectives

The Other Cyber Skills Gap: Educating Tomorrow’s CISOs

Oct 09, 2018 | by James Graham |

By now, no one questions the investment and focus on training tomorrow's cybersecurity and technology professionals. There continues to be a widely-recognized gap between the number of qualified, job-seeking security professionals and the number of positions necessary to secure the world's networks, both now and into the future.

While the discourse has focused heavily on educating the next generation to fill critical practitioner-level roles in government and corporate cyber defense, few have considered how education will play a significant role in helping the current generation take their place in that future fight – as senior security executives at the board and briefing room tables.

New Considerations for an Expanding CISO Role
A significant piece of the challenge for educating tomorrow's chief information security officers (CISOs) is the rapidly changing nature of the role, and the increasing demands placed upon it. According to the member CISOs of the Security for Business Innovation Council in a recent report, not only do security leaders need an in-depth understanding of their business, but they are regularly called upon to provide counsel on what the appropriate risks are for their organization.

"Today, we want and are expected to be business enablers that are helping to drive not only growth, but innovation," says Jerry R. Geisler III, Senior Vice President and Global Chief Information Security Officer, Walmart, Inc. "If your company wants to do something new, you have to bring security to other areas of the organization and truly understand where the business is heading and align your strategy to the overall business strategy. Security leaders have to understand business and the role they play in that business."

For some, who hold a technical degree versus a business degree, pursuing an MBA or certificate are valid pursuits with immediate benefits. "If you're inclined, an MBA can pay dividends on the business skills and strategy side," says Roland Cloutier, Senior Vice President, Global Chief Security Officer, Automatic Data Processing, Inc.

Cybersecurity Education: Changing with the Times
Fortunately for those looking to up-level their security knowledge there has been a focus in the past decade or so to offer educational options. These options help cybersecurity experts looking to position themselves for greater value to their teams and constituents, and for greater opportunity as more organizations in both the public and private sectors start to recognize the value of leaders who have a practitioner's hands-on experience, and a focus and understanding of business.

Founder of New York University (NYU) Tandon School of Engineering's cybersecurity program and Associate Dean for Online Learning Professor Nasir Memon has been in the thick of cybersecurity education for the last 20 years. He sees some compelling related challenges in executive-level cybersecurity education.

"First, as the CISO function is relatively nascent, we saw a demand from experienced executives for a degree that brings technology skills together with exposure to the intricate policies and regulations that exist today," says Memon. "The security world is only getting more complex and it is imperative for today's executives to be well-versed not only in technology, but in the broader-based risks that can impact their businesses."

And it is just as important for aspiring and existing security executives alike to understand that the classroom is not the only place tomorrow's CISOs will learn their most valuable lessons. "I would encourage security professionals to participate in the security community. Read articles, go to conferences. You can learn a tremendous amount and share best practices and learn what's good in the market," comments Timothy McKnight, EVP & Chief Information Security Officer, Thomson Reuters.

As the future CISOs start to elevate themselves above their peers through innovation, leadership and a keen sense of where security and business meet, there's a number of opportunities (and even some demand) for growth that cybersecurity and business education will no doubt play a part. In this climate, the answer could include reaching into adjacent disciplines that can help a practitioner describe security in business terms, paired with ongoing efforts to stay relevant and sharp on technical and leadership skills. After all, the ways in which the next generation of security executives plots its path could be just as consequential to the cyber skills shortage as a thousand engineers or analysts.

# # #

October is National Cybersecurity Awareness Month (NCSAM). Organized by the National Cyber Security Alliance, NCSAM is a collaborative effort between government and industry to ensure every American has the resources they need to stay safer and more secure online. To join the industry discussion, follow @StaySafeOnline or search #CyberAware on Twitter.