The question of how focused CISOs should be on technology versus the business inherently draws a line between them, as if they're two separate things. This overlooks the fact that technology (and the risk associated with it) exist because of business objectives and decisions. In other words, technology, information, and their related risks are artifacts of the business.
If we come at it from this perspective, the question regarding CISO focus changes to one of being able to understand, measure, and communicate to executives the risk dimension of technology/information within the context of the business. Yes, this requires an understanding of technology and business, but the focus is on connecting the dots rather than treating them as somehow separate.
When that happens, business executives will better understand the risk implications of the decisions they make, which improves their ability to avoid or correct serious risk conditions. This also means that a CISO's strategy is much more likely to be aligned with the business, which will improve their ability to get the support they need to be effective. It also makes the role and responsibility of business executives in the risk posture of an organization, much clearer.
So, yes — CISOs need to understand technology and business, but I believe the focus needs to be on understanding them as inseparable parts of a whole rather than as somehow distinct from one another.
Jack Jones is the creator of the FAIR (Factor Analysis of Information Risk) model. Got a question for Jack? Become a FAIR Institute member and join the discussion on Link.