Most Effective CISOs Have Business Background, Says IBM Security Leader

Don't feel insecure about your lack of a heavy technical background, CISOs, because the most successful CISOs are those with a business background, said Kris Lovejoy, general manager of IBM Security Services, at an IBM security leadership forum Wednesday.

Lovejoy provided a preview of research IBM conducted about the state of the CISO; the full report will be released next month. Among the findings: Most CISOs report into IT (and the CIO) "because that's where the money is," while others are reporting to their CEO, chief operating officer, or chief administrative officer.

The reporting structure is one of the reasons that CISOs coming from the business side are more effective, says Lovejoy, because "they know how to manipulate the system" and get things done despite the challenges of organizational politics or bureaucracy.

Sixty-three percent of the enterprises included in the study have a dedicated CISO. Lovejoy said this number was too low. "It's such a nascent career," she said, "and that scares me."

"They're not getting it from magical means," but rather through human error. Therefore, she advised CISOs to focus on the end-users, by building a culture of security awareness and hardening endpoints.

Other advice: Don't fool yourself that your organization is not using cloud services. "Talk to your CMO," advised Lovejoy, because most of the projects that employ third-party cloud services (often for website building or hosting) are run by the marketing department.