[ISN] How to break out of the CISO role in five easy steps

From: InfoSec News (alerts@private)
Date: Tue Nov 06 2007 - 03:04:12 PST


By Cara Garretson
Network World

The path from CISO to executive team may not be a well-tread one, but 
breaking out of the security box and into the board room can be achieved 
by thinking about business.

So says Michael Corby, a consultant, security professional, and former 
CIO who spoke at the CSI 2007 security conference held near Washington, 
D.C. this week. During a session on leadership, Corby pointed out the 
five flaws that can keep security professionals from making corporate 
leaps, and offered five suggestions for overcoming them.

Five things that CISOs should do less of:

1. Be too much of a security evangelist and perfectionist. While these 
   are traits that tend to come with the job, as CISOs often feel the 
   fate of their company’s security rests solely on their shoulders, 
   they are not characteristics that tend to endear security 
   professionals to other managers, Corby says. A constant focus on 
   security can appear myoptic to others, leading them to believe that 
   the CISO doesn’t really understand the business.

2. Take on the `key person’ role. If a CISO is the only one employees 
   can turn to for help solving particular issues, that person soon 
   becomes trapped in the job, Corby says. “Help people become educated 
   and able to solve their own problems; you get less questions when 
   people can find their own answers,” he says.

3. Get lost in the organizational chart. Because security plays a role 
   at various places in an organization, it often doesn’t show up as a 
   function at the corporate executive level. CISOs need to show how 
   their jobs impact business continuation and risk minimization, and 
   have an effect on the organization’s bottom line, he says.

4. Become limited by professional backgrounds. “I don’t know too many 
   MBAs that aspire to be CISOs; there are very few people with 
   corporate mentalities that go into security, so we have this gap 
   between our background and where we are, and what we need to do to 
   take the next step,” he says.

5. Let professional goals become limitations. CISOs want to be very good 
   at their jobs, but they get stuck as their company’s sole resource on 
   security, Corby says.

Five things that CISOs should focus on instead:

1. Redirecting social circles beyond technology. Corby recommends 
   joining the chamber of commerce or industry-specific associations and 
   organizations. “Hobnob with the kind of folks that are in your 
   company,” he says. “It shows that you have the breadth to go beyond 

2. Finding something to excel in besides technology; people management, 
   for example. “That’s neutral territory; all aspects of your 
   organization need good people management,” Corby says. “If you 
   demonstrate you manage people well, you’re more likely to grow your 
   staff or accept responsibility for additional staff.”

3. Taking an interest in the core business. Many industries, including 
   insurance and banking, offer courses for professionals looking to 
   learn more about the business, he says. “It’s something you can do to 
   get some letters after your name,” he says.

4. Running the security department as its own business. Corby offers the 
   example of when he was CIO of a large consulting company he put 
   together a business within a business, with dedicated roles such as 
   finance and marketing. “If you can do that, it shows you can run a 
   business,” he says.

5. Having patience. “Don’t expect to become CEO overnight,” he says.

All contents copyright 1995-2007 Network World, Inc

CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com

This archive was generated by hypermail 2.1.3 : Tue Nov 06 2007 - 03:12:16 PST