Yes, I can name dozens of people who would have made excellent CISOs in 2017 and meet my (low) bar of (1) relevant IC experience and (2) some relevant formal training.
> The buck never stops at the CISO, just like it supposedly didn't at Twitter.
If the buck doesn't stop there, it certainly passes through.
Let me flip this around: should you hire a Software Engineer with decades of management experience at a bank to the Chief Financial Officer? What about lawyer who's worked at a hospital to be the Chief Medical Officer? Would you hire an MBA without any legal experience to be your Chief Legal Officer? No, no, and no. If a company did any of those things and shit hit the fan, people would be irate and the company would be rightly criticized.
So why is it okay to fill CTO and CISO roles with MBAs who have no technical training or experience?
It's not, and I don't think juries are going to put up with this over the next couple decades. The "new field" argument is increasingly implausible.
My current employer's CISO or my former employer's equivalent of the CISO. Both were hired prior to 2017 and had relevant education and expertise. And no, I'm not going to risk doxing myself to someone accusing me of sexism for saying that CTO/CISO roles should be filled by people with relevant education.
> Compsci is not an infosec-related degree.
Are you kidding me? I am beginning to lose confidence in any ability to have a reasonable conversation with you.
Four years of CS cover a lot of material that is directly relevant to information security, even without any formal coursework in security. Most CS degrees require several years of programming, an Operating Systems course, and courses like Networking, Cybersecurity, and Cryptography are often offered as electives. Even the basic courses offer a lot of basic knowledge about the work being managed.
Is it everything you need? No, of course not! That's why the criteria -- from my first post -- is BOTH relevant education and also relevant IC experience.
What is inappropriate is a CISO who has never written or read a single line of code, never configured a piece of IT equipment, etc. It would be like a CLO who has never read a legal brief or a chief medical officer who has never treated a patient. They won't even have a basic high-level understanding of what's actually going on in the work they are managing. I've seen this, first hand, from a (male) executive who did not have a technical background.
I took courses on Cryptography, Networking (with a unit on DoS/DDoS mitigation), Operating Systems (with a TON of systems programming that got me intimately familiar with buffer overflows and memory models), and a Software Engineering course that included some discussion of injection attacks.
As term or course projects I implemented or was part of team that implemented: a virus scanner, an intrusion detection system (back before they were common -- we called in 'dynamic iptables' or something like that), portions of an operating system with a bunch of security and permissions relevant stuff, a password cracker, and a bunch of crypto algorithms.
Aside from all of this, a basic understanding of how to program and build software systems is already important background.
But no CS is totally unrelated to infosec and I'm a sexist dick for saying that people in leadership should know about the work they are managing. /s
Yes, I can name dozens of people who would have made excellent CISOs in 2017 and meet my (low) bar of (1) relevant IC experience and (2) some relevant formal training.
> The buck never stops at the CISO, just like it supposedly didn't at Twitter.
If the buck doesn't stop there, it certainly passes through.
Let me flip this around: should you hire a Software Engineer with decades of management experience at a bank to the Chief Financial Officer? What about lawyer who's worked at a hospital to be the Chief Medical Officer? Would you hire an MBA without any legal experience to be your Chief Legal Officer? No, no, and no. If a company did any of those things and shit hit the fan, people would be irate and the company would be rightly criticized.
So why is it okay to fill CTO and CISO roles with MBAs who have no technical training or experience?
It's not, and I don't think juries are going to put up with this over the next couple decades. The "new field" argument is increasingly implausible.