"This is why you see increasing -- numbers of courses and certifications. The skills to approach the business problem, lay out coherent strategies that are digestible to the common user, and set forth tactical deployment plans are extremely difficult to find," says Foley
Business and financial acumen
Sought-after CSOs understand the key business lines in their respective organizations and the impact of security on a company's bottom line, says Young. This understanding is also important for recognizing where potential vulnerabilities might lie within the organization, such as with outsourced services or data, or lines of business that are popular targets for cyberattacks.
CSOs that have an advanced business degree such as an MBA are always going to be that much more desirable than those who do not, according to Jerry Irvine, CIO of IT outsourcing company Prescient Solutions and a member of the National Cyber Security Task Force.
"From the standpoint of being able to understand business drivers, strategic planning, understanding the mission and vision, CSOs must have business experience. If they're going into large multinational corporations, that will probably require an MBA or a degree in business administration, says Irvine.
Technical certifications like CISM, CISSP, CRISK, and CTBIT are helpful, but CSOs need to prove they have a grounding in business-risk analysis.
Good communication skills
It will always be extremely important to be able to communicate with diverse audiences, says Young. Not only must CSOs make complex security issues understandable to the enterprise at large, they must also make it clear how important security risk, particularly digital risk management, is to the executive suite's agenda. David Luzzi, executive director of Northeastern University's Strategic Security Initiative, adds logical reasoning and the ability to inspect ideas as important skills to build on the foundation of excellent verbal and written communication skills.
David Frymier, CSO at Unisys, has more than three decades of experience in IT, with much of his recent years devoted to information security. Frymier is not inclined to get a certification or an MBA to make himself more attractive at this point in his career. His take on one of the top skills to have today?
"The ability to self-teach is a given," says Frymier. "As fast as things change, you have to be able to teach yourself how to do new things."