[ISN] The next IT security leaders - Know the tools to succeed in growing field

InfoSec News isn at c4i.org
Mon Oct 3 08:33:49 EDT 2005 

http://federaltimes.com/index2.php?S=1147134

By JANE SCOTT NORRIS
September 30, 2005

The 2002 Federal Information Security Management Act introduced the 
position of chief information security officer (CISO) to the federal 
government - albeit with the ungainly moniker of senior agency 
information security official. Today, as the CISO position is earning 
widespread recognition and increasing stature in both the public and 
private sectors, we ask: "Where will the next generation of CISOs come 
from?"

First, we need to pose and answer two other questions: "What is the 
background and experience of current CISOs?" and "How is the CISO role 
evolving?" Most, if not all, of those who currently hold CISO 
positions did not begin their careers with the ambition of becoming 
the senior information security officer for a large enterprise; 
rather, they came into their positions through a confluence of skills, 
innovation and opportunity. In fact, until recently, only a few people 
worked in this rapidly expanding discipline, so there was no career 
ladder to the executive suite. However, the importance of information 
security and the demand for information security professionals are 
both growing - thanks to ever-increasing connectivity, the rush to 
market by vendors, expanding threats and readily available hacking 
tools. The 2004 Work Force Study, conducted by the International 
Information Systems Security Certification Consortium, projected a 
compounded annual growth rate for the information security profession, 
worldwide through 2008, at almost 14 percent, while the information 
technology profession's growth was projected at only 5 percent to 8 
percent over the same period.

Today's CISOs have typically worked in information technology, but 
they have traveled a variety of routes to their current positions. 
According to the work-force study, information security professionals 
are very experienced, having worked an average 13 years in IT and 
seven years in information security. CISOs, however, require broader 
knowledge than the typical information security practitioner and 
strong management skills.

With varying years of experience in the security arena, the most 
successful among my colleagues have several nontechnical traits in 
common. Each can use plain English, rather than "geek-speak," to 
communicate with business managers and to balance security with 
mission objectives. 

The consideration of business requirements is the key factor in 
evolving the security profession’s attitude from one of risk aversion 
to one of risk management. With interconnectivity, we've abandoned the 
search for absolute security and perfectly safe systems as an 
impossible and impractical quest. We have accepted the need for 
availability and usability of information and information systems, 
leading to the creation of the information assurance discipline. But 
it doesn't stop there.

Just as information management is transitioning into knowledge 
management, with the emphasis shifting from technical outputs to 
business outcomes, so the former information security profession is 
maturing from a purely technical approach to one that is 
mission-focused. To succeed, the CISO must be a strategic partner with 
business units.

Often under the auspices of the National Security Agency's Centers of 
Academic Excellence program, many colleges and universities have 
recently established information assurance curricula at the 
undergraduate and graduate levels, typically in the computer science 
departments. Graduates from these programs are entering the 
information assurance work force and expect to spend their entire 
careers in this discipline. Many will aspire to become CISOs at some 
point in their professional lives. For junior- and midlevel 
information security personnel, there is no well-defined CISO model 
and no clear path to the CISO position. Moreover, by the time they 
attain the C-level, there probably will not even be a CISO position: 
It is more likely to be CRO - chief risk officer. 

My final advice to those aspiring to become a CISO/CRO: 

* Gain a solid foundation in IT, information security and risk
  management.

* Know pertinent laws and regulations.

* Get credentials in information security, project management, and in
  chief information officer competencies or business administration.

* Learn the business of the organization for which you work.

* Hone your communication and marketing skills. Think and talk in
  business terms, and master the art of making your case in one page.

-=-

Jane Scott Norris is chief information security officer of the State 
Department.

More information about the ISN mailing list