A close friend of mine just got moved from financial services executive management to the CSO role within her organization. My friend is smart and has more degrees than a thermometer. She doesn't know much about IT security, however -- except that her company isn't doing it right.
We can debate the merits of appointing a nonsecurity person to the head of a security team, but sometimes better management is exactly what is missing. As long as the key people under her handle the technical leadership roles, the combination might work out well. If she is as smart as I think she is, she'll pick up the pertinent facts and pain points pretty quickly. She's not the type to pour all her resources into the first major emergency or believe every vendor's sales pitch.
