Since Sony announced it would hire a CISO, it hasn't said whether the position has been filled.
Meanwhile, I reached out to some hiring managers and asked them: What would you look for in Sony's first CISO?
If they are not a strategic thinker and a business partner, the rest does not matter.
Joyce Brocaglia is the CEO of Alta Associates, an IT security recruiting and placement company, and Michele Porfilio is the strategic sourcing director for Crowe Horwath, a public accounting and IT security consulting firm.
"Sony probably needs someone from outside who can shake things up a little bit," Brocaglia says. "The person from day-one will need to demonstrate the capability of dealing with the fall-outs of a breach and the remediation process."
For a first-time CISO at any organization, the unique demands include an understanding of what authorities are available, what kind of support this position attracts and from what level within the organization.
It's clear that strong leadership and diplomacy skills easily outweigh the technical IT security aspects needed in this role. Among the skills recruiters say they would seek in a successful candidate:
Team Management: "It's not about an individual's skill set that are technical in nature; it's really about someone able to acquire and manage a team that has the right skill sets and is forward-thinking to embrace all the silos that fall within the broad range of a security officer's responsibility," Brocaglia says.
Thinking about it, the role does need an executive who has previous experience working in a complex, global organization that had to restructure or reorganize a global team and has largely used influence and leadership to resolve issues by building consensus with business units.
Transparency: "In Sony's case, the CISO needs to be someone that can work and report in a transparent manner to the board," Brocaglia says. This position, as Sony indicated last month, is to report to Shinji Hasejima, chief information officer of Sony Corp., and that raises some significant issues regarding the visibility and authority given to the CISO position within the company.
Given this hierarchy, it is unlikely that the CISO will have direct access to the executive committee or the board. It will like most cases be the CIO driving the IT security agenda within the boardroom, and that could interfere with the CISO's effort in leading enterprise-wide IT risk and security program and policies.
Partnership: "The assertiveness of this position will ultimately be based on how the leader can influence change and collaborate with other business executives to get their buy-in to funnel and back information security initiatives and policies within an enterprise," Porfilio says. "A strong leader can get surrounded with good technical expertise needed to get the job done. But if they are not a strategic thinker and a business partner, the rest does not matter."
The CISO has to have the skill sets to set the strategic direction around defining risk management, security policies, creating awareness, designing an effective business continuity and incident response program, in helping the company support business goals and initiatives.
"It is the vision of staying ahead of the threat landscape and strength of persuasion and negotiation skills with business executives that becomes a highly critical attribute," Porfilio says.
Holistic Understanding: In the case of Sony, repeated breaches have also shown us that perhaps the company failed to maintain the right understanding of the importance of information security. The CISO here will therefore, need to create a cultural shift where people know what security means and what their responsibilities are.
"So, one of the important characteristics for Sony's CISO "is the ability to have a broad understanding of risk holistically, as opposed to the technology that's gone behind the problems they have had," Brocaglia says. "The leader needs to articulate his position and knowledge of information security, governance and risk management to all of the business leaders and executives in their company and show information security as a value add."
Results-Driven: Finally, the candidate must excel at delivering results soon.
"We are (often) asked to replace one CISO with another, not because of lack of information security expertise, but because it's the lack of that person to take the organization to the next level and have a broader perspective on risk and governance process as a whole," Brocaglia says.
Ultimately, the effectiveness of the CISO role will depend on how Sony positions and empowers this function.