Technical CSO x Gartner's MBAs
One small interview by Brian McKenna with Paul Henry, in Infosecurity Today magazine (Nov/Dec issue) caught my attention as it sheds a very bright light over an interesting topic, the "trend" of security teams starting to be composed more with guys like a MBA than technical personal.
Well, Mr. Paul Henry is very clear, and his toughts fit my opinion too, in saying that a security team can't be made only by "business guys". He is right to point out that the results would be policies and procedures that wouldn't be followed because of lack of technical enforcement safeguards. His examples use situations where people security awareness can improve a lot the security but is not enough to achieve the desired level.
He also points out a very interesting opinion about research companies like Gartner on indicating this businessmans trend. This would put more guys that like to hear their opinions and can't challenge their technical positions in charge of security departments, making their job a lot easier.
I strongly agree with Mr. Henry. Yes, security is not a technology problem only. However, technology is a very big part of the problem (and of the solutions). The people dealing with it need to know about the technology involved. CSOs use to participate on several meetings about new projects or technology products being bought by the organization. They need to, at minimum, know how to detect that something was made without security in mind. Unfortunately, most CSOs that I know can't even do this basic analysis.