Will The CISO of the Future Be A Woman?
July 6, 2009
I attended the Gartner Conference on Monday and I sat in on a panel called “The CISO’s Skill Set.” The panel was headed by Ray Wagner of Gartner, and the panelists included David Foote (Foote Partners), Alan Paller (SANS), and Joyce Brocaglia (Alta Associates).
As the panel went on, the discussion headed in the direction of what skills would comprise the CISO of the future. Almost on cue, the panel unanimously agreed that the CISO needed to have a good blend of technology, business, and people skills. They also stated that the future CISO would be a great communicator, consensus builder, and a change agent.
In response to this, Ms, Brocaglia stated that the latter of these interpersonal qualities necessary to be successful for the role will most likely be found in women.
Whoa! That was heavy. This statement should have sent shockwaves through the audience, which was comprised of corporate information security leaders and was roughly 85% male. I could not possibly imagine devoting your career to a profession and then being told that by gender alone you are less than desirable.
Before I go on, I would like to provide a couple of disclosures:
1) I am male
2) Ms. Brocaglia’s company (Alta Associates) is a competitor of mine (LJ Kushner & Associates)
3) I have professional respect for Ms. Brocaglia and the Executive Women’s Forum (which I think is a great idea)
4) I often disagree with Ms. Brocaglia
Ms.Brocaglia’s statement (which she supported with a reference to a HR study) that females are most likely to be more effective communicators, change agents, and consensus builders, promotes a prejudice and a stereotype, that men (as a group) are less capable of possessing these attributes. The results of the HR survey may be accurate, and indeed women (as a group) may be more likely to excel in these areas better than men (as a group), but this should not have any effect on the recruitment of an effective CISO.
Companies do not hire groups, they hire individuals. Generalizations should have no bearing on and should never influence the decision making process, when it comes to selecting a qualified CISO. When a company is searching for a CISO, they will identify an individual who possesses relevant skills,has demonstrated professional excellence, and is capable of providing leadership to their information security program.
Collectively, it is my experience that the women who have chosen Information Security as a career are traditionally high achievers and many have gravitated towards positions of leadership. In many cases, they have had to overcome greater adversity and gender based prejudice to achieve similar professional success as their male counterparts.
The female information security leaders that I have encountered share common traits. They are all smart, business savvy, technical, personable, and driven to succeed. They are tough negotiators and have a great deal of conviction in their beliefs. Ironically, these are the same skills sets that male information security leaders possess.
In my opinion, skills that include consensus building, effective communication, and organizational transformation can be classified as softer skills. These are skills that are developed through experience, maturity, and conflict resolution, and are not inherent to gender.
I agree that the skills that Ms.Brocaglia mentioned are all skills that are necessary to be an effective CISO. However, these aforementioned skills are ones that need to be developed and cultivated, independent of gender.
In the past thirteen years, I have worked with many companies in their search of competent information security leadership. They all have one thing in common, they are looking for the best talent who can thrive within their environment and get the job done. I have never once heard a client mention the applicant’s gender as a qualification (nor do I ever think I will).
One of the items that I stress the most in any recruitment process is to keep an open mind to candidates with different backgrounds and unique experiences. I have had many instances where clients have hired Information Security leaders who did not come close to matching their initial “ideal” candidate profile. However, by getting to know these candidates through the interview process, they discovered that their experiences were quite relevant and would enable them to succeed in an information security leadership capacity. In all of those cases, the customer was happy that they discarded their initial prejudices and overlooked their preconceived notions.
The CISO of the future will be a special leader. They will be innovative, the will be highly skilled, and they will inspire others. They will be of different gender, race, religion, and ethnicity. They will have made strategic career investments that separate them from their peers. They will be hard workers. They will have high moral character. They will be competitors.
They will be the top 1% of our profession.
We all still have the chance to be that leader!
“All generalizations are false, including this one.” – Mark Twain