Should a CISO Have an MBA?
I posed this question to four CISOs representing the federal, state government and private sector. Here is their take:
Mike Russo, CISO for the state of Florida, believes that an MBA provides a good foundation for the younger folks in information security. "The core learning areas would help individuals understand the importance of technology and security as a support function for business," he says. For him, having an MBA is advantageous, but not essential in his position.
Knowledge of public sector business operations and objectives is more of a function of relationship building versus academic training.
According to Chris Buse, CISO for the state of Minnesota, "My deductive answer is no. I believe CISOs need a strong understanding of technology, internal controls and a clear understanding of the legislative process because that is where the money ultimately comes from. These requirements center on knowledge and not specific initials behind your name."
For Buse, the effectiveness in his role comes from on-the-job experience, his background as a chartered public accountant and the work he has done in leading an IT audit group. Working in audit has given him the skills he uses every day in his job -- to effectively manage risk and craft solutions, as well as get a firm grip over accounting and finance.
Patrick Howard, CISO at the Nuclear Regulatory Commission, does not have an MBA and is not aware that any of his peers in other agencies do, either.
"Knowledge of public sector business operations and objectives is more of a function of relationship building versus academic training," he says. "I'd contend that an advanced degree in Information technology or Information management would be more beneficial than an MBA."
A CISO is the executive responsible for an organization's entire security posture, and as such the role has evolved from one of IT security administration to high-level risk management. Today, a major part of the CISO's responsibility is looking at the big picture and making strategic decisions based on acceptable and unacceptable risks affecting the entire organization.
This being the case, I agree with both Buse and Howard that CISOs today need something more specialized than attaining a general business management degree to lead the security function within the business.
I would say that becoming a member of associations such as the Institute of Risk Management or ISACA, or taking up specific information security management courses offered by academic institutes such as James Madison University, University of Dallas and Purdue University, will probably help security leaders far more to understand the business aspect of security and communicate the value to business leaders.
However, steering this discussion to the other side is a private sector CISO, Malcolm Harkins at Intel Corp., who is a strong advocate that an MBA degree will add great value to a CISO's ability to control IT risk and better understand what business is trying to accomplish. "This distinct perspective is a critical necessity for security executives now that information technology has become the core of managing IT risk," he says.
Harkins believes that the CISOs of the future will need this business orientation to mostly think at a more strategic level.
Agree? Disagree? I'd love to hear your perspective. Is an MBA degree necessary for CISOs today?