http://federaltimes.com/index2.php?S=1147134 By JANE SCOTT NORRIS September 30, 2005 The 2002 Federal Information Security Management Act introduced the position of chief information security officer (CISO) to the federal government - albeit with the ungainly moniker of senior agency information security official. Today, as the CISO position is earning widespread recognition and increasing stature in both the public and private sectors, we ask: "Where will the next generation of CISOs come from?" First, we need to pose and answer two other questions: "What is the background and experience of current CISOs?" and "How is the CISO role evolving?" Most, if not all, of those who currently hold CISO positions did not begin their careers with the ambition of becoming the senior information security officer for a large enterprise; rather, they came into their positions through a confluence of skills, innovation and opportunity. In fact, until recently, only a few people worked in this rapidly expanding discipline, so there was no career ladder to the executive suite. However, the importance of information security and the demand for information security professionals are both growing - thanks to ever-increasing connectivity, the rush to market by vendors, expanding threats and readily available hacking tools. The 2004 Work Force Study, conducted by the International Information Systems Security Certification Consortium, projected a compounded annual growth rate for the information security profession, worldwide through 2008, at almost 14 percent, while the information technology profession's growth was projected at only 5 percent to 8 percent over the same period. Today's CISOs have typically worked in information technology, but they have traveled a variety of routes to their current positions. According to the work-force study, information security professionals are very experienced, having worked an average 13 years in IT and seven years in information security. CISOs, however, require broader knowledge than the typical information security practitioner and strong management skills. With varying years of experience in the security arena, the most successful among my colleagues have several nontechnical traits in common. Each can use plain English, rather than "geek-speak," to communicate with business managers and to balance security with mission objectives. The consideration of business requirements is the key factor in evolving the security profession’s attitude from one of risk aversion to one of risk management. With interconnectivity, we've abandoned the search for absolute security and perfectly safe systems as an impossible and impractical quest. We have accepted the need for availability and usability of information and information systems, leading to the creation of the information assurance discipline. But it doesn't stop there. Just as information management is transitioning into knowledge management, with the emphasis shifting from technical outputs to business outcomes, so the former information security profession is maturing from a purely technical approach to one that is mission-focused. To succeed, the CISO must be a strategic partner with business units. Often under the auspices of the National Security Agency's Centers of Academic Excellence program, many colleges and universities have recently established information assurance curricula at the undergraduate and graduate levels, typically in the computer science departments. Graduates from these programs are entering the information assurance work force and expect to spend their entire careers in this discipline. Many will aspire to become CISOs at some point in their professional lives. For junior- and midlevel information security personnel, there is no well-defined CISO model and no clear path to the CISO position. Moreover, by the time they attain the C-level, there probably will not even be a CISO position: It is more likely to be CRO - chief risk officer. My final advice to those aspiring to become a CISO/CRO: * Gain a solid foundation in IT, information security and risk management. * Know pertinent laws and regulations. * Get credentials in information security, project management, and in chief information officer competencies or business administration. * Learn the business of the organization for which you work. * Hone your communication and marketing skills. Think and talk in business terms, and master the art of making your case in one page. -=- Jane Scott Norris is chief information security officer of the State Department. _________________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Mon Oct 03 2005 - 06:17:39 PDT