Educational requirements are defined appropriate to the positions and responsibilities involved.
Education in information protection suitable to making high quality technical decisions is highly specialized and typically associated with graduate degrees in specialty fields from accredited universities. Unfortunately there are relatively few such graduate programs and too few graduates to fill the available positions, so highly experienced professionals with proper backgrounds may be used in their place.
Experience requirements are defined appropriate to the positions and responsibilities involved.
Experience is the best teacher in terms of not making the same mistake twice, but experience has its limits. Typical experience levels required for information protection involve 1-2 years per specialty area to become competent to make judgments and have broad understanding of everyday issues. With a proper educational background, the same experience is put in the context of that education, linking theory with reality, and this creates a far more effective individual more capable of understanding the implications of events and more able to think “out of the box”. Given that there are something like 25 major issues in information protection at the enterprise level, at 1-2 years each, the CISO should have from 25 to 50 years of relevant work experience in order to have the knowledge base to understand all of these issues at an operational level. But technologies change over time so while experience of 25 years ago is helpful in understanding the issues from a management perspective, it is not technically relevant at a detailed level today in most cases.
Training in appropriate areas and technologies is kept up to date with requirements for work done.
Training is particularly effective for getting an individual prepared for specific tasking. The training will typically be effective at giving them the information they need for a 6-month to 2-year period. Once they start in the task they will adapt to changes if they desire to and be effective for several years. If it is good training it will also provide some of the educational background that will help them understand issues over longer time frames. But training is not a substitute for education and should not be incorrectly treated as if it were.
People with more advanced degrees from accredited institutions are favored over others - all other things being equal.
Degrees are often associated with expertise, but you don't need a degree to be an expert and just because you have a degree doesn't make you an expert. There is of course a strong correlation between degrees and expertise in most fields, but not necessarily in the information protection field at this time.