mnovelo - Fotolia
Do CISOs need computer science degrees?
Equifax's CISO came under fire for having a music degree. David Shearer, CEO of (ISC)2, discusses what type of education infosec professionals should have.
As high-profile data breaches continue to make headlines, CISOs have been thrust under the microscope as their work histories, educational backgrounds and qualifications are scrutinized.
That scrutiny has sparked a debate over whether or not information security professionals, particularly CISOs, should be required to have computer science degrees. One of the most recent examples involves Equifax, which suffered a catastrophic breach last year; the credit rating agency's CSO, Susan Mauldin, came under fire for reportedly having a degree in music rather than computer science.
However, some have since pointed out that many infosec professionals do not have computer science degrees. While such degrees can be valuable, David Shearer, CEO of the International Information Systems Security Certification Consortium, or (ISC)2, believes they shouldn't necessarily be requirements for CISOs, and that other educational or training resources, as well as work experience, can provide the skills needed for certain positions. Here, Shearer shares his views on the debate and the topic of CISO qualifications.
David Shearer: Everyone jumped on the fact that Equifax's CISO had a music degree. Okay, but, scientifically speaking, music is highly mathematical. It's highly analytical.
We have lots of people that came from different backgrounds that are in the security profession. I wouldn't want to jump there.
I think, as the head of an organization like (ISC)2, a thought-leader in cyber security, I think it would be premature to throw a CISO under the bus because we don't know what's around that. It looks like there are allegations of business practices that that CSO may have had no line authority or control of.
Personally, I'm reluctant to start jumping on the bandwagon of trying to say she was unqualified. I don't know enough about her or what was going on around her. Did she have something to do with standing up a bogus-looking website for credit monitoring after the breach? Was she responsible for the site's terms of service that made it look like you had to omit yourself from any type of class-action lawsuit against the company? That might not even be the CISO.
We saw the same thing with the CIO function previously. Many people got CIO positions even though they didn't have a technical background with computer science degrees, and they had varying degrees of success. I think you can be a successful CIO and not be a technologist if you have trusted people around you that are really good that bolster you, and [if] you're a strong leader.
I still think it's a little bit of a risky proposition; having worked in that function for a lot of years, it always helped me to have come up through the technology ranks, but what I had to do was build my executive skills and my leadership skills and learn to lead those technical folks [Prior to (ISC)2, Shearer served as deputy CIO at the U.S. Department of the Interior and associate CIO for International Technology Services at the U.S. Department of Agriculture].
And it's not unlike the CISO function. Some people come in it from different degree pasts and it's really a hit or miss. Could somebody come in and be a generalist and lead all that? I think there'll always be exceptions where somebody that doesn't have a [computer science] degree is brilliant. We meet them all the time. We have members on our board that are brilliant that don't have degrees, but they have certifications.
I think it's really hard to say, 'Everyone must have a degree.' We have people that come up through the ranks that start coding when they're in their teens or even younger than that; they're phenoms. But can you count on the small number of phenoms to fill an entire industry? No.
And I think that's where certification bodies and even formal education comes in. You have some level of assurance that the person has some understanding of what's going on.
I'm not saying that every CISO has to have a CISSP [Certified Information Systems Security Professional] certification, but we're trying to offer some level of assurance to hiring officials that people have at least been exposed to the broad holistic nature of enterprise security. We don't make any claims to fame that, if you're a CISSP, you're an expert in every facet of security. It's not a silver bullet. That probably sounds counterintuitive from somebody who runs a certification body, but we have to be honest with ourselves.