Kevin Winter, chief information officer at Booz Allen Hamilton, said chief information security officers should have deep technical knowledge, good communication skills and an understanding of the business mission to be effective security leaders of their group, Fierce CIO reported Thursday.
Winter spoke to reporter David Weldon in an interview and said CISOs should adequately articulate to C-level executives the security risks of their organization and how a mitigation plan could help address risks.
A properly managed security program “starts by getting the C-suite to buy-in, but ultimately it’s about getting all the employees in the organization to buy-into the program, because there is a lot of behavior that you need to change,” Winter said.
How much an organization should spend on IT security also depends not so much as on the size of the company but on what needs protection, he added, noting that there is no “one-size fits all” approach.
“You’re going to see a fluxuation, but I think it’s based on what an organization needs to protect,” Winter said.
“And it’s based off the CIO’s and CISO’s ability to communicate the effective business case for security.”