Chief information security officers and the important work they do increasingly are being recognized in the C suite. Results from the second annual Global Information Security Workforce Study, conducted by global analyst firm IDC and sponsored by the International Information Systems Security Certification Consortium, show information security professionals are moving up in the corporate ranks.
The study notes that accountability for information security has risen up the management hierarchy and now rests with the board of directors and CEO, CISO or CSO. Nearly 21 percent of study respondents said their CEO is now ultimately responsible for information security (nearly double the 12 percent of respondents holding this opinion in 2004), and 73 percent said this trend will continue.
Complex security solutions, regulatory requirements, threat-technology advances and costly security breaches make it essential that organizations be proactive in guarding their digital assets. As a result, the CISO position focuses on risk management and is becoming more integrated with business functions. Security professionals must hone their technical and business skills to prepare for this role.
Independent validation of competency and experience, together with a commitment to the information security profession, are door-openers for those who aspire to move into the CISO position. Information security practitioners should consider the value of obtaining certifications from a professional security association to help further their careers. According to the GISWS, 90 percent of respondents involved in hiring see certifications as somewhat or very important when they're making hiring decisions. And more than 60 percent indicated they intend to acquire at least one information security certification within the next 12 months.
There are two categories of information security certifications: vendor-neutral and vendor-specific. Both are helpful for career development. Vendor-specific credentials (such as those from Cisco and Microsoft) are important ways to gain necessary skills. They need to be accompanied by certifications that demonstrate a broad foundation of knowledge and experience. The Certified Information Systems Security Professional (CISSP) and Certified Information Systems Auditor (CISA) certifications are sound choices.
When developing your career plan, look for help from associations offering career-building services and ongoing education, opportunities to demonstrate subject matter expertise, avenues for peer networking, access to industry research and volunteer opportunities.
A great resource for finding information security-focused educational institutions and organizations, professional associations, conferences and trade shows, online resources, and publications is the ISC2's 2006 Resource Guide for Today's Information Security Professional, Global Edition.
More of the best
To rise through the technical ranks and become a CISO, you must be able to communicate in business terms, so security certification and experience will do you little good on their own. You will need to combine your technical expertise with expertise at communicating business value, which means being able to explain the benefits of security in terms of ROI, its value in improving the organization's ability to conduct business and the practical solutions it provides to problems - all interwoven with the organization's appetite for risk.
While you enhance your security and business skills, you can work within your own organization to prepare for a career transition. Here are some ideas from a panel discussion at the 2006 RSA North America conference about becoming a CISO:
- Learn to collaborate with other departments to integrate and appreciate other roles. According to an Auburn University study, Managerial Dimensions in Information Security: A Theoretical Model of Organizational Effectiveness, implementing information security programs requires exceptionally high levels of "task interdependence". Respondents said 62 percent of their daily tasks depended on the exchange of information or cooperation with others.
- Take the value-added approach by learning how to align your responsibilities and accountability with each department's business goals. Look at the big picture - the goals and focus of the organization. Think in terms of the overall business, and know the impact you have on it and how what you do creates value for the organization. Communicating the value of information security will help in building a spirit of cooperation throughout the organization.
- Develop your own circle of trust within your organization with representatives from each department to help promote mutual understanding, appreciation and teamwork. When more people agree with you, you gain credibility. Eventually, executives will learn about your group and recognize the value in consulting you.
- Engage executives in conversation so they can get to know you and learn to trust you. These conversations should be succinct but meaningful, using business terms, not "geek speak" or acronyms. Determine how you can add value to their goals, then make your case as to why you should be consulted or included in a meeting.
- Offer executive and user security-awareness training on security threats affecting home offices and present prevention techniques. Executives will see the difference you make to their home computers or networks, and that builds their trust in your ability to make recommendations for the business' networks.
- Learn to balance opportunity risks. Many executives perceive security staff as inflexible, so they don't want to invite them to strategy meetings. Be flexible in balancing security risks with business processes that help the organization meet its goals.
So, would you like to be a CISO? Are you willing to step away from some of the technical aspects of information security? If the answer is yes, keep up to date with your technical knowledge and certifications, and learn business language and softer communication and presentation skills. Develop relationships with executives so they are aware of your knowledge and skills, and will begin to trust you and see you as a good choice for a C-level position.
Rolf Moulton is a CISSP-ISSMP, president and interim CEO of ISC2