Are you qualified to be a CxO?

By Dr. Suresh Ramasamy, Head, Group IT Security at Hong Leong Bank Berhad

A recent incident related to Equifax sees a massive data breach that spans a few countries.

Equifax provides credit information and has access to sensitive information such as names, social security numbers, birth dates, addresses and even drivers’ license numbers. Having this information divulged can make identity theft very easy. As this incident has far-reaching impact, Equifax came under the microscope and one of the aspects analysed was the CISO’s credentials.

Analysis of the C- levels

In this particular case, through much public information, it was determined that the CISO for Equifax had a Bachelor’s degree in Music Composition (Magna Cum Laude) and Masters in Fine Arts in Music Composition (Summa Cum Laude).  This has raised many questions as to whether the person hired was competent to perform the role. However, there are other facts that remain equally relevant. She has been a CSO/CISO since 2013 and previously worked as SVP/CSO for another organization until July 2013, with experience at a bank as Group VP.

What determines the hire of a C-level?

Each organization has its own unique blend of requirements prior to hiring a key personnel. Basic job descriptions would entail a minimum requirement of a university degree (preferably for the same line of business). Certifications are usually named (at times only due to copy-pasting, while not fully understanding the benefits or such, or alternative certifications which make equivalent skill assessment). For a CEO, most organizations look for past performances in the form of financial strength and achievements of the candidate, and even MBA from a reputable school (most often as a checklist exercise).

The CISO however, is looked at as a role of a technical leader moving up the technical ladder to management, with many assumptions about what the role is expected to function as. Globally, leaders who lead the security structure often traditionally have military/law enforcement agency experience while cyber leadership is pretty much a gray area at best. Personally, I’ve seen the role filled up by many from a diverse background –  anyone who’s done black hat activities, to someone who leads Finance.

Education/Certification vs Experience?

Network Cyber Information Security or NCIS is a new industry. The current leaders (who studied their degrees many decades ago) would have probably started off with a degree from various background. My own degree was a major in Information Systems Engineering.

The notion of security in computing never existed, though most of us had been annoyed by viruses (I have personal war stories against DH2). So, fast forward to today, should a leader now have, say, 20 years of experience, the most relevant fields would be in Mathematics, Applied Mathematics, Computing, Computer Science, etc.

Most organizations today believe that in ensuring their candidates have at least a varsity Bachelor’s degree; though I could never understand why, as most of my uni knowledge is pretty much obsolete! It’s interesting to note that many millennials that I have come into contact with, do not see a university degree as something important, and are more focused on tangible skills that they could use from Day One.

Then, there is the industry type certifications. You’d find the myriads of alphabet soup behind my name, as well as many others, to show accolades and achievements. You’d find many articles/posts on LinkedIn about how tough a certain certification was, and how everyone slogged day and night to get it.

There are many certifications for security, namely CISSP, CISM, GIAC certifications and even C-CISO (I have a view later on, as to why an MBA doesn’t matter to a CEO).

So, which matters?

A degree from the relevant field?

In early 2000, many developers shipped out of India, ended up building the software that we use on a daily basis.

Most of these developers aren’t IT graduates, but university graduates who had taken up programming as a separate subject and strived on it. Hence, the very foundation of technology is built by “non-techies”.

Does certification matter?

While having certification helps to tick HR hiring guideline boxes and provides a rudimentary means of saying “Yeah, we follow industry benchmarks when we hire so that when something happens, we are covered in terms of following norms.”

If the issue happened around someone who’s CISSP certified, I’m sure to hear flak coming from the ‘non-CISSP’ folks about how useless the certification is. There’s always something nice to say about someone if one looks for it; and vice versa.

It’s interesting to note that when an organization is faring well, no one comments about how well they are doing. The security industry as a whole seems to be moving towards negativity or ‘red’ rather than ‘blue’.

And not forgetting the usual progressionary argument of whether X is a science or art with proponents swinging both ways. Personally, what it is, depends on who you are and how you tackle a problem.

HBR – CEO report

In 2016, HBR released a report on Best Performing CEO. Interestingly one of the items shown was the presence of MBA on the CEO profile. Surprisingly (or not) the Top performing CEO did not have an MBA. Link attached below for reference.

Conclusion

So, long story short, was Equifax wrong in hiring who they hired? I have no idea. Did the person have enough experience to be CISO? Maybe. Should they have hired an IT graduate instead and averted the breach? Definitely NOT!

While this is a security issue, organizational IT practices still need scrutiny.

There are many areas where this issue could have fallen off the track. Stability vs. patching, CIO’s operational KPI priority over CISO’s security KPI.

The patch management practice needs scrutiny more than the C’s in CxO. Patch management in large organizations isn’t as easy as what most security pundits would have it.

“Just patch it”.  Yea, well if you lose your bonus because your server goes down due to patching process, I’m very sure you’d look the other way.

References

HBR Best Performing CEO

ZeroHedge

(This article first appeared on www.linkedin.com)