CISOs Should Be Licensed Like Other Mature Professions
by Patrick Benoit
Before you start tweeting about how this idea is just more government control, hear me out. Please set aside your initial need to say that you didn’t need a license to be a good CISO and requiring one is just another checkbox. There are always pros and cons to every idea and my intention is to open the discussion.
Why Even Consider This?
The Chief Information Security Officer (CISO) role is relatively young in the world. For a long time, when we talked about security it was generally focused on physical security — except, of course, in many of the three-letter government organizations and the contractors that supported them. The CISO itself role dates back to 1994 when banking giant Citigroup (then Citi Corp. Inc.) suffered a series of cyberattacks from a Russian hacker named Vladimir Levin. The bank created the world’s first formal cybersecurity executive office and hired Steve Katz to run it. Since then we have seen the role slowly slip down into smaller and smaller companies. Partly because of a limited qualified CISO supply and the cost for these CISOs, smaller companies have turned increasingly to Security Engineers or Network Engineers with a little security knowledge to step up into the title giving them a responsible security leader at a relatively low cost. As a result, many new CISOs are swimming in deep water without the training or experience needed to be successful. Using the title on the resume, they then move to a larger company again without "big" company and "big" security experience. This is not to say that all are incapable of meeting the challenge, but it does point to a weakness in our system of security leadership.
The industry has become inundated with security certifications from numerous professional organizations with no real way to assess or compare the quality of those holding their certifications. The fancy certification titles lead many outside the security world to be enamored or even fooled by the name. This helps more unqualified candidates into the CISO ranks. We need to follow the example of the more mature professions like doctors, lawyers, law enforcement, accountants, architect, engineers, and pilots, to name a few, and bring a licensing model into play.
What Does It Take to Be a Pilot?
There's no such thing as a natural-born pilot. Chuck Yeager
Being a flight instructor and pilot myself, I’ll use my experience as an example. To become a commercial pilot (someone that gets paid to fly aircraft), you must follow a path of basic aviation education/training (knowledge-based and practical), pass a flight physical, meet minimum experience requirements, pass an FAA-administered practical examination, complete additional education specific to commercial aircraft types and pass that practical examination. At this point, you are ready to seek a job as a Second-in-Command (SIC) or co-pilot. After several years’ experience in the “right seat", you may become Pilot-in-Command (PIC) qualified in a particular type of aircraft and can move into the left seat. Seems like a lot of work and it is. It is also very expensive to accomplish. And, even after you achieve your PIC status, you must still maintain evidence of recent experience, a new flight physical as often as every 6 months, and attend yearly requalification training in each type of certified aircraft which you fly. It is a lifelong commitment of time and resources to continue as a commercial pilot for a profession.
NOTE: Technically, pilots are certificated, not licensed. The words are often used interchangeably; however, a pilot’s certificate can be revoked by administrative action of the issuing agency whereas revocation of licenses usually requires judiciary intervention.
But People Don’t Die If a CISO fails
Really? How about the CISO at a hospital that “fails” and the patients are now unable to receive urgent or emergency care due to a security breach? What about the CISO for a critical infrastructure provider like electricity? How many people are injured or possibly die if that provider is breached in the middle of summer in Florida and there is no air conditioning? CISOs have a critical role in every company and that role requires the same licensing oversight as other professions.
What Would Licensure Look Like?
Consider these minimum requirements to be licensed as a CISO. This is only an example of possible criteria:
· Undergraduate degree in cybersecurity/technology or 10 years cybersecurity/technology experience
· Five (5) years of cybersecurity leadership/management experience
· 40 hours of recent (within the last 12 months) approved cybersecurity training including at least 16 hours of training specific to the CISO role
· Pass a licensing examination conducted by a recognized licensing agency
· Acknowledge and agree to a code of ethics and agree to be licensed subject to the licensing agency with respect to disciplinary action for misconduct or breach of ethics
· Maintain annual continuing education requirements of 40 hours of related training
There are endless ways these requirements could be changed to develop a mature licensing model. The result will be a distinguishable supply of qualified candidates and ultimately greater security with more standardized practices in our profession.
About the Author
Patrick is an Advisory CISO and formerly the Deputy CISO for Cheetah Digital. He is a Security & Privacy Executive, Writer, Speaker, Knowledge Provider and Seeker. He has been an Executive Business Partner at Experian; a Customer Delivery Executive and Service Delivery Leader at Dell; and owned a technology consulting company. He is certified as C/CISO, CISM, CISSP, CRISC, PMP, ITIL Expert, and Lean Six Sigma Black Belt. He is a pilot and flight instructor. He studies and teaches Aikido, rides motorcycles, and his favorite teaching is “From Chaos Comes Greatness,” a loose translation from the “I Ching”.
The article has been originally published at: https://www.linkedin.com/pulse/cisos-should-licensed-like-other-mature-professions-patrick-benoit/