“One likely reason for UHG’s negligence, and the company’s failure to adopt industry-standard cyber defenses, is that the company’s top cybersecurity official appears to be unqualified for the job. [Name omitted] had not worked in a fulltime cybersecurity role before he was elevated to the top cybersecurity position at UHG in June, 2023, after working in other roles at UHG and Change Healthcare. Although [the CISO] has decades of experience in technology jobs, cybersecurity is a specialized field, requiring specific expertise,” the senator wrote. “Just as a heart surgeon should not be hired to perform brain surgery, the head of cybersecurity for the largest health care company in the world should not be someone’s first cybersecurity job.”

Right or wrong, the letter illustrates how many officials incorrectly see the CISO role as the head of the Security Operations Center or someone overseeing cryptographical strategy. It has evolved to be a far broader role and much of the value comes from persuasion skills. Technical skills are appropriate, but if the hiring executive must make tradeoffs when hiring a CISO, what trade-offs should be made?

“We’ve gotten to the point where nobody is sufficiently qualified to be a CISO. We are asking these people to be experts in cybersecurity, information technology, data privacy, AI, governance, risk, compliance, and business. Although they are rarely lawyers, we want them to be able to interpret and comply with myriad frameworks, industry standards, state, federal, and international regulations,” says Brian Levine, managing director at Ernst & Young overseeing cybersecurity. “Although we do not leave them with sufficient time to read, we want them to keep up with technology that is changing on a daily basis. Although they are technology experts, we also need them to be stellar managers — to be able to manage global vendors, employees, contractors, counsel, executives, and board members. CISOs are doing their best, but nobody can really live up to these standards.”