Why is it classed as a tech role?

If businesses do put the CISO role under Tech then it does become a lot more problematic to fill.

I speak to Loads of CISO’s looking for work and a big question I’m always asked when speaking to them about a role is ‘where does the role sit?’. It shows how serious the recruiting business takes Security and ultimately how much autonomy to do their job once they are in post.

Depends on what they want out of the role I guess. If they don't intend to budget for any improvements but need a scapegoat for the next breach, I hear Amber Rudd needs a new role now :)

It's only hard if you don't enjoy what you're doing.

I would say "...hardest to fill with the right person."

The “S” really means Scapegoat.

I was just talking with my manager about this the other day when discussing my career goals. He made the comment I knew all too well. He said a CISO used to need to be tech savvy, but today’s CISO needs to play politics and techies have a hard time with politics. There’s also the issue with clearly defined roles. We all know Security programs are not successful without clear buy in from leadership, but if a CISO isn’t given the ability to engage leadership directly, implementing cyber strategy can be frustrating and ultimately lead to frustrations. When good employees don’t feel effective they get discouraged and end up looking for new work.

Matthew Reyes, CISSP - what they say about 'today's' CISO is pretty much the same thing they said about CIO for years, and VP of IT before that and 'head of DP' before that.

Truth

We in the security community have exacerbated this problem. I would bet that, of the CISO moves that happen these days, more than half are because the “CISO” never should have been in that role in the first place. Too little experience, too little technical knowledge, too little executive presence, too little business knowledge, too little vision, too much greed when they see the ridiculous “market price” for a CISO...

Because it's not a tech role..

#CISO doesn't seem to be a technical role but having technical background is really a HUGE advantage.

Yup. And when companies finally find that seasoned CISO they give them no budget to work with. ;)

Business acumen is a key to success and good leadership.

First, CISOs should not answer to the CIO. They have completely different roles and responsibilities (that must be well established and understood) and must work together; however, they should answer to C-level executives, not the CIO. The CISO must have a strong technology understanding but doesn’t necessarily needs to be a “techie.” He/she must understand what’s needed in terms of products and services to be able to request necessary budget to identify, protect, detect, respond, and recover from breaches. He/she must understand what it is they are trying to protect and how is that going to be done. Without technical knowledge, how is it that he/she will know how to proper secure information? For example, a CISO must understand cryptography and know they must have a policy for managing cryptographic keys, what algorithms to use for different functions (e-mail, website), the lifecycle of key management (creation, transport, ..., storage, destruction, ...). Yes, you’ll have to work with the CIO, have a security engineer planning that, but how can you aprove it when you have no idea if it’s a good plan or not? How can he/she ensure the hardening of network systems without technical knowledge?

So, commenting here is an interviewing strategy, I guess.

Gear up, future CISOs!

This is an article from 2016 and does not truly reflect today's market in 2018.

Have to agree. Information Security covers people, process and technology. Being technical is only covering 1/3 of the remit.

Really good perspective. I have experienced a wide range of what is expected of a cybersecurity leader. Often times, it seems like a search for a unicorn living at the top of Candy Mountain.

A role that should be quite capable of managing both sides. A sacrificed lamb to be, ensure to put everything is in its proper place then you'd be doing just fine.

I love this perspective. While it may be old, this in my view is still accurate. If you apply this to Security professionals as a whole, it is still accurate today.

I'll echo that the CISO should not report to the CIO. The role is different. I have seen it under legal, finance and IT. It should be considered a separate business function. This however gives rise to have a CIO and CISO willing to work together.

The biggest problem in the industry is finding qualified candidates for all levels. I like leaders who are technical and can teach it, but we need opportunities to progress. Without the opportunity there will be a larger shortage of CISO's in the near future.

Within the question lies the answer. It is not a position to be filled. It is your business, your shares, your risk and your job.

Just one small thing, CISO isn't a tech role. In my part of the world salaries rather range between 100k-200k USD/year.

Personally, I don’t think it’s any harder to fill than any other role. It’s more about managing (people’s) expectations and being clear about the ask and owning the outcomes. For a CISO and any leadership role, it’s as much about ability as it is character and the ability to assimilate and act on new information, security or otherwise. It’s not just about the technology.

With a CISO specifically, there is probably an expectation that you have experience a mile wide and a mile deep on absolutely everything in security as well as the personality/ability to thought lead in it. In reality, most people don’t and its unrealistic to think otherwise. People will definitely have traits and skills specialities that’ll take them close to a mile deep in some areas but in others people may only have shallow knowledge because of lack interest, ability (natural or learned) or opportunity otherwise EVERYONE would be a CISO, right?

Ultimately, a CISO would only ever be as good or successful as the team working for and with them. Where CISO’s shine or stand out is when they evidence taking a lead in setting directions and policy on security, ownership in times ambiguity and a team that rally’s around and believes the same as they do. That may be the bit that could make them “hard to find”.

Because its not a tech role...

I don’t envy you