“One likely reason for UHG’s negligence, and the company’s failure to adopt industry-standard cyber defenses, is that the company’s top cybersecurity official appears to be unqualified for the job. [Name omitted] had not worked in a full-time cybersecurity role before he was elevated to the top cybersecurity position at UHG in June, 2023, after working in other roles at UHG and Change Healthcare. Although [the CISO] has decades of experience in technology jobs, cybersecurity is a specialized field, requiring specific expertise,” the senator wrote. “Just as a heart surgeon should not be hired to perform brain surgery, the head of cybersecurity for the largest health care company in the world should not be someone’s first cybersecurity job.”

The letter highlights the importance of proper cybersecurity leadership. A CISO should have extensive experience and expertise in the field to make informed decisions and implement effective security measures.

Right or wrong, the letter illustrates how many officials incorrectly see the CISO role as the head of the Security Operations Center or someone overseeing cryptographical strategy. It has evolved to be a far broader role and much of the value comes from persuasion skills. Technical skills are appropriate, but if the hiring executive must make trade-offs when hiring a CISO, what trade-offs should be made?

The CISO role is no longer limited to technical expertise alone. It requires a deep understanding of business, governance, risk, compliance, and data privacy, as well as the ability to manage global vendors, employees, contractors, counsel, executives, and board members.

“We’ve gotten to the point where nobody is sufficiently qualified to be a CISO. We are asking these people to be experts in cybersecurity, information technology, data privacy, AI, governance, risk, compliance, and business. Although they are rarely lawyers, we want them to be able to interpret and comply with myriad frameworks, industry standards, state, federal, and international regulations,” says Brian Levine, managing director at Ernst & Young overseeing cybersecurity. “Although we do not leave them with sufficient time to read, we want them to keep up with technology that is changing on a daily basis. Although they are technology experts, we also need them to be stellar managers — to be able to manage global vendors, employees, contractors, counsel, executives, and board members. CISOs are doing their best, but nobody can really live up to these standards.”

The CISO role is incredibly demanding, requiring individuals to possess a wide range of skills and knowledge. It is a challenging and time-consuming task to stay up-to-date with the latest technologies and regulations, while also managing a team and making strategic decisions.

The role of the CISO has evolved significantly over the years, requiring individuals to possess a broad range of skills and knowledge. It is no longer sufficient to have only technical expertise; CISOs must also be able to manage global teams, interpret regulations, and make strategic decisions. The challenges of being a CISO are significant, but it is a critical role in ensuring the security and integrity of an organization’s data and systems.

What are the key skills and qualifications required of a CISO?

A CISO should have extensive experience and expertise in cybersecurity, as well as knowledge of business, governance, risk, compliance, and data privacy. They should also be able to manage global teams and make strategic decisions.

What are the biggest challenges facing CISOs today?

The biggest challenges facing CISOs today are staying up-to-date with the latest technologies and regulations, managing global teams, and making strategic decisions. They must also be able to interpret and comply with myriad frameworks, industry standards, state, federal, and international regulations.

How can organizations ensure they are hiring the right CISO?

Organizations should look for CISOs with extensive experience and expertise in cybersecurity, as well as knowledge of business, governance, risk, compliance, and data privacy. They should also assess the CISO’s ability to manage global teams and make strategic decisions.

What is the future of the CISO role?

The future of the CISO role is likely to continue to evolve, with a greater emphasis on strategic decision-making, global team management, and compliance with regulations. CISOs will need to be well-versed in a wide range of topics, including AI, data privacy, and governance.