Career Insights with Upasana Gupta

What Sony Needs from Its First CISO Hiring Managers Share Thoughts About What Sony Needs

Since Sony announced it would hire a CISO, it hasn't said whether the position has been filled.

Meanwhile, I reached out to some hiring managers and asked them: What would you look for in Sony's first CISO?

If they are not a strategic thinker and a business partner, the rest does not matter. 

Joyce Brocaglia is the CEO of Alta Associates, an IT security recruiting and placement company, and Michele Porfilio is the strategic sourcing director for Crowe Horwath, a public accounting and IT security consulting firm.

"Sony probably needs someone from outside who can shake things up a little bit," Brocaglia says. "The person from day-one will need to demonstrate the capability of dealing with the fall-outs of a breach and the remediation process."

For a first-time CISO at any organization, the unique demands include an understanding of what authorities are available, what kind of support this position attracts and from what level within the organization.

It's clear that strong leadership and diplomacy skills easily outweigh the technical IT security aspects needed in this role. Among the skills recruiters say they would seek in a successful candidate:

Team Management: "It's not about an individual's skill set that are technical in nature; it's really about someone able to acquire and manage a team that has the right skill sets and is forward-thinking to embrace all the silos that fall within the broad range of a security officer's responsibility," Brocaglia says.

Thinking about it, the role does need an executive who has previous experience working in a complex, global organization that had to restructure or reorganize a global team and has largely used influence and leadership to resolve issues by building consensus with business units.

Transparency: "In Sony's case, the CISO needs to be someone that can work and report in a transparent manner to the board," Brocaglia says. This position, as Sony indicated last month, is to report to Shinji Hasejima, chief information officer of Sony Corp., and that raises some significant issues regarding the visibility and authority given to the CISO position within the company.

Given this hierarchy, it is unlikely that the CISO will have direct access to the executive committee or the board. It will like most cases be the CIO driving the IT security agenda within the boardroom, and that could interfere with the CISO's effort in leading enterprise-wide IT risk and security program and policies.

Partnership: "The assertiveness of this position will ultimately be based on how the leader can influence change and collaborate with other business executives to get their buy-in to funnel and back information security initiatives and policies within an enterprise," Porfilio says. "A strong leader can get surrounded with good technical expertise needed to get the job done. But if they are not a strategic thinker and a business partner, the rest does not matter."

The CISO has to have the skill sets to set the strategic direction around defining risk management, security policies, creating awareness, designing an effective business continuity and incident response program, in helping the company support business goals and initiatives.

"It is the vision of staying ahead of the threat landscape and strength of persuasion and negotiation skills with business executives that becomes a highly critical attribute," Porfilio says.

Holistic Understanding: In the case of Sony, repeated breaches have also shown us that perhaps the company failed to maintain the right understanding of the importance of information security. The CISO here will therefore, need to create a cultural shift where people know what security means and what their responsibilities are.

"So, one of the important characteristics for Sony's CISO "is the ability to have a broad understanding of risk holistically, as opposed to the technology that's gone behind the problems they have had," Brocaglia says. "The leader needs to articulate his position and knowledge of information security, governance and risk management to all of the business leaders and executives in their company and show information security as a value add."

Results-Driven: Finally, the candidate must excel at delivering results soon.

"We are (often) asked to replace one CISO with another, not because of lack of information security expertise, but because it's the lack of that person to take the organization to the next level and have a broader perspective on risk and governance process as a whole," Brocaglia says.

Ultimately, the effectiveness of the CISO role will depend on how Sony positions and empowers this function.

About the Author

Upasana Gupta

Upasana Gupta

Contributing Editor, CareersInfoSecurity

Upasana Gupta oversees CareersInfoSecurity and shepherds career and leadership coverage for all Information Security Media Group's media properties. She regularly writes on career topics and speaks to senior executives on a wide-range of subjects, including security leadership, privacy, risk management, application security and fraud. She also helps produce podcasts and is instrumental in the global expansion of ISMG websites by recruiting international information security and risk experts to contribute content, including blogs. Upasana previously served as a resource manager focusing on hiring, recruiting and human resources at Icons Inc., an IT security advisory firm affiliated with ISMG. She holds an MBA in human resources from Maharishi University of Management, Fairfield, Iowa.

Around the Network