Which Comes First - the Banker or the Security Professional?
Say, you need to hire your next CISO. Do you hire a security executive who can learn banking, or a banking executive who can pick up the necessary security skills?
Let me back up: This question first arose when a security consultant friend visited a newly-hired bank CISO. We're talking a decent-sized institution here. But when the consultant asked some pertinent questions about banking operations ... well, it was clear that the CISO didn't even know how a check was processed. He was a security guy, fumbling to learn his banking business on the job.
So, we wrote a story about the topic, threw this question out to our readers, and here's some of what we got back:
I don't say anyone is right or wrong, but I do point out: Increasingly, information security is a board-level issue. Top business leaders at banking institutions are having their feet held to the fire about security and compliance, and so you can bet that they're inserting themselves in lots of conversations about security matters. And whomever they're speaking to better be prepared to respond in the language of business - of banking.
As one banking/security leader told me just last week, "We really should be pursuing MBA's more than we should be pursuing Masters of Computer Science at this point."
This individual has worked with many banking institutions globally, and he says far and away the best CISO's he's seen have been bankers first, security professionals second. "If you understand that information security is only 25% technology, 75% people, process, procedure and policy, that alone drives you to understand that the person that is going to be successful is the person who understands the business and not the person who understands the technology."
Any dissenting opinions?