
Ask HN: What knowledge and skills should a Head of Security possess? - meri_dian
With all the frustration boiling about Equifax&#x27;s security head being unqualified, and as someone who isn&#x27;t a security expert myself, I&#x27;m genuinely curious about what a head of security needs to know in order to do their job effectively.
======
watwut
1.) Politics - ability to negotiate, ability to convince. Experience with
management - ability enforce the rules and create organization that follows
them. Ability to write down understandable rules. (There is no security if
employees dont follow the instruction and share passwords with each other.)
That means creating structures for employees learning including lessons etc,
understands incentives, knows how to verify things are done the way they
should.

2.) Politics two - ability to plan, think ahead and gauge risk vs cost (unless
you are CIA you dont aim for zero risk). Follow up plan, have plans about what
to do after incident including PR and know that such plan is needed.

3.) Knows big picture security. Knows various standards, what they are good
for, how much they cost, their weaknesses and whether they are good idea for
your company. Understands what rules in those standards are for and whether
they apply.

4.) Lower picture security - knows what is pen testing, intrusion detection a
bit about networks etc etc. Does not need to be expert and configure the stuff
from top of head, but needs to understand what his/her people are talking
about when they talk. Needs ability to distinguish between bullshit and fact.

~~~
PaulHoule
Politics can be a double-edged sword. "Avoiding conflicts" is an unreasonably
effective strategy until it stops working.

~~~
watwut
Being good in politics does not imply avoiding conflicts. It implies effective
approach to them. Most importantly, ability to diffuse the conflict and
ability to find solution that satisfy multiple parties is not conflict
avoidance - it is rational approach instead of emotional angry one. The direct
angry confrontation is sometimes part of conflict solution too, if you have
that kind of personality, but even there you need to control yourself enough
not to make complete fool out of you - and know when not to do so. Which is
pretty easy for angry people.

The other part of politics is understanding what other people are up to and
why they are doing what they are doing. Knowing who can make decisions, who
can be trusted in what, who is stubbornly refusing change and thus it is waste
of time trying to convince him etc.

~~~
PaulHoule
I agree, but "avoiding conflicts" can make somebody look good at politics,
until...

------
EliRivers
Amongst others, people skills. Excellent written and spoken communication
skills, good presentation skills; the ability to explain to people why they
have to be so inconvenienced and ideally make them _want_ to. Flexibility and
compromise; empathy and understanding and the willingness to relax security
restrictions in the right circumstances.

The biggest obstacle to security is the people you're trying to keep secure.
If you don't get them on side and keep them on side, they will subvert
security themselves from the inside. Get them on side and keep them on side
and they themselves will identify opportunities to improve security that might
otherwise be left open forever.

------
segmondy
Almost everything most people in here have said.

plus

They must have a strong network in the industry, so they can hire and poach
the best from their network.

They must know how to hire. They are not going to be the ones that are doing
the actual work so they need a competent team.

They must know enough to listen and make decisions. It's not enough to have a
team if you won't listen to them. You must be competent enough to listen to
them that if someone comes to you and asks for $100,000. You can gauge that
it's a smart spend and authorize it quickly. Security is not one of those
things you can sit on and wait on.

------
walterkobayashi
Broadly Speaking:

\- A good understanding of Functional IT, knowledge about typical Systems and
Processes in an Industry(BFSI/Tech/Life Sciences), what sort of things are
being protected from hackers (Windows Heavy Environments/MacOS Heavy
Environments)

\- Must have hands-on knowledge in Network Security and the tools/processes
being used in a company

\- Must understand Regulations related to the Industry (For e.g: HIPAA)

\- Must have atleast 10 to 15 years of experience in 3 or more areas of
Security like - Network Security/SOC , Audit/Compliance, Risk Management,
Sysadmin/Network , Security Engineering.

------
PhilWright
I would love to tell you but it is classified. Only the head of security is
allowed to know the full details.

------
castillar76
* A solid understanding of security technology. I don't expect a CISO to be able to field-strip a firewall or jump in and take the place of one of her line analysts, but I do expect the CISO to understand firewall technologies and talk intelligently about why they're important. One of the CISO's jobs is advocating for security controls with other business organizations, which necessitates the ability to talk intelligently and in layman-understandable terms about what those controls entail, what those technologies do, and why they're important. A CISO who doesn't understand what a digital certificate is will have a hard time arguing for protecting them or will accept weak protections because they sound stronger than they are. Worse, a CISO who doesn't understand security solidly may call for implementing controls that don't make sense or that don't afford any protection, or will focus too heavily on one area while neglecting another. The amount of technological know-how in the CISO will likely vary according to company and org size: the CISO of a small company will likely also be the security person and therefore should be very security-tech-savvy; the CISO of a large corporation will likely be much further removed from the console glass because their scope is much larger. In the latter case, you would expect the CISO to have a solid organization of very security-tech-savvy people _to whom the CISO would listen closely and trust to make good recommendations_. (This latter part seems to get overlooked.)

* CISOs must understand risk, and be able to articulate it in a balanced picture to non-security people. CISOs who always say no and couch risk in the most apocalyptic terms are actively disabling their companies; CISOs who always say yes and couch risk in the gentlest terms are setting their company up for Equifax-level failures. The old saying is "A ship in harbor is safe, but that's not what ships are for"\--the CISO needs to be able to let the ship sail when appropriate while still pointing out the reefs on the map.

* Along similar lines, the CISO needs to understand her particular company and its industry well. If you don't understand what makes the company money, you may wind up arguing for controls that cut profits or hinder business. CISOs also need to understand and anticipate trends in their industry and as a whole. Cloud, containers, agile development, devops, these are all huge trends in the industry right now, and a good CISO will see them coming and have considered where to fit them in (or where to say "nope, can't do that (right now)...and here's why") so when the business pops up and says, 'We want to do that!' she can explain what's possible, what's reasonable, and where the risks are for their particular business. A healthcare company with extensive HIPAA and Fedramp regulations is going to have an entirely different approach to the cloud than a software-focused startup working on a new social media solution!

