Everyone wants to know this today. One of the key attributes I have found in all the security people in last 14 years of my career is you need to be naturally skeptical when you look at stuff. This is one key aspect and if you don’t have this you would not a be good security person. You would have to ground that with good business pragmatism, it not about technology, it is about securing.
I always treat technology as what it would do for me in terms of business and ultimate security is about Risk and what level of risk business is prepared to accept and therefore your job as CISO is translate that business risk, business acceptability into technology trade-off between pure security where ever things are locked down and being able to use in the business and making that judgement.
Too often security people start off very black and white if they come from security background and if you come from a business background you have a very pragmatic point of view and lack the security view. A good CISO should fuse this two together and take business risk and pragmatism and combine that with technology/business needs while they secure.
You should come from background where you have done more than security.
Pure security is great. However, that is often not enough to understand the business requirements. If you want to do more than that you need to work with business, work in the business and in different businesses. Everything you have done would bring experience to your position as CISO, Speak to your management ask for opportunity to work in different business areas !
( Read More: CISO Platform Top IT Security Influencers (Part 1) )