SAN JOSE, Calif. -- The next generation of chief information security officers won't necessarily rise through the tech ranks. In fact, security managers will compete with lawyers, accountants and MBAs for the top slot.
Today's CISOs already require skills well beyond reading firewall logs and keeping up with malware outbreaks. They are typically charged with setting a company's security agenda or taking a more tactical role in daily operations.
"To… progress, we're going to evolve into the business sector and break of out the techie cubicle," Auburn University associate professor Thomas E. Marshall told an audience at the recent 2006 RSA Security Conference during a panel sponsored by the non-profit (ISC)2. That organization, officially known as the International Information Systems Security Certification Consortium Inc., governs the popular CISSP credential that is widely viewed as a stepping stone to upper security management.
But it's becoming clear that holding any of the 135 security credentials now available is no longer enough. Those wishing to advance must develop a stronger sense of what it takes to run a business, not just an IT shop. That includes learning to "schmooze" and better communicate with a wide variety of personalities.
"We have a hard time training people with those 'soft' skills," said James R. Wade, executive director and COO of the International Integrity Institute (I4), "and as you move up within a company, those soft skills
This is particularly true of information security executives, who aren't typically the most appreciated people in the boardroom. "Security is still fairly unpopular, and you've got to make your case with senior management…to get your part of the pie," said Jane Scott Norris, the CISO for the U.S. State Department and an (ISC)2 government co-chair. "That requires marketing skills."
The growing arm of regulation is giving security departments, and their leaders, a stronger say in companies' direction, but security-oriented laws like SOX, HIPAA and Gramm-Leach-Bliley also are within the realm of lawyers and auditors, who will compete for top security-related jobs such as CISO or chief risk officers.
Betty Pierce, president and COO of Secure Network Systems Inc., suggests companies pick protÉgÉs from within, rather than search externally, and expose those people to all the different lines of business. That also means candidates must demonstrate that they understand the language of business and are truly engaged in problems that span beyond their department.
Other suggestions for potential security executives include:
- Speak in plain English, not technical terms, when addressing business units.
- Create a council or committee that includes other key departments, from legal to human resources. Meet monthly or bimonthly to discuss how information security is helping or hindering their jobs. This establishes contact with key people in other lines of business, but members can collectively become more influential in pushing some security programs. This also reinforces teamwork skills and may boost the group's influence over time.
- Become more engaged in other areas by discovering where problems exist. This will increase trust levels among various departments. "People love to talk about what they do," Pierce said.
- Offer companywide security training, perhaps over lunch. Start with desktop issues that employees also can use on their home PCs to draw initial interest. That will spill into the enterprise's needs.
- Look at security as an enabler. When pushing for a security initiative, make it clear how the company can be more secure and its employees more productive. Don't just dwell on doomsday scenarios.
- Get experience in project management to compliment your security credentials.