There’s a lot of nonsense making the rounds on the usual LinkedIn hashtags about how CISOs don’t have to be technical. That’s crazy talk.

BUT—there is a grain of truth here that’s worth exploring further. The CISO is NOT a purely technical engineering role, and it is not a Security Engineering Manager by another name.

The CISO is a business executive.

That means understanding business and having great communication skills are also key success factors. If you're “just a geek” who loves the tech and is bored to death by real world business concerns then a CISO role may not be for you.

However, the CISO manages risk. Business risk. Risk that can result in negative financial impact to the business.

But how can you manage risk if you don’t understand the risk?

And the risk is almost entirely technical in nature.

If you want to manage the risk of, say, a fire in a commercial building, then you better have some understanding of fires and building materials. (You wouldn’t be a good fire insurance claims examiner without a background in fire fighting!)

You want to manage cloud security risk? Then you better have some understanding of how the cloud works at a technical level.

Heavy Kubernetes user? Maybe you want to know something about how Kubernetes works, and the security concerns relevant there.

You want to manage the security risk of a data breach? Well then you better have some idea of how your data is secured and how an attacker might breach those controls.

If you have no idea at a technical level how security risk works, how on earth can you make good judgments to manage risk?

That's like saying “the law is a business matter, you don't need a law degree to be General Counsel.”

Umm.

Or like saying “Finance is a business matter, you don't actually need to know anything about accounting to be CFO.”

Umm.

I feel like most General Counsels and CFOs would roll their eyes at such ridiculous statements.

Likewise I roll my eyes at anyone who says a CISO can be successful without being technical.

It's a weird new role that has only existed for less than a quarter century, and we’re still figuring out what a CISO is and should be—and even for different companies the right answer might be wildly different. And that's OK.

But suggesting you can be an effective security leader without any technical skill at all is absurd.

CEOs and Boards of Directors, take note.