The path from CISO to executive team may not be a well-tread one, but breaking out of the security box and into the board room can be achieved by thinking about business.
So says Michael Corby, a consultant, security professional, and former CIO who spoke at the CSI 2007 security conference held near Washington, D.C. this week. During a session on leadership, Corby pointed out the five flaws that can keep security professionals from making corporate leaps, and offered five suggestions for overcoming them.
Five things that CISOs should do less of:
1. Be too much of a security evangelist and perfectionist. While these are traits that tend to come with the job, as CISOs often feel the fate of their company's security rests solely on their shoulders, they are not characteristics that tend to endear security professionals to other managers, Corby says. A constant focus on security can appear myoptic to others, leading them to believe that the CISO doesn't really understand the business.
2. Take on the `key person' role. If a CISO is the only one employees can turn to for help solving particular issues, that person soon becomes trapped in the job, Corby says. "Help people become educated and able to solve their own problems; you get less questions when people can find their own answers," he says.
3. Get lost in the organizational chart. Because security plays a role at various places in an organization, it often doesn't show up as a function at the corporate executive level. CISOs need to show how their jobs impact business continuation and risk minimization, and have an effect on the organization's bottom line, he says.
4. Become limited by professional backgrounds. "I don't know too many MBAs that aspire to be CISOs; there are very few people with corporate mentalities that go into security, so we have this gap between our background and where we are, and what we need to do to take the next step," he says.
5. Let professional goals become limitations. CISOs want to be very good at their jobs, but they get stuck as their company's sole resource on security, Corby says.
Five things that CISOs should focus on instead:
1. Redirecting social circles beyond technology. Corby recommends joining the chamber of commerce or industry-specific associations and organizations. "Hobnob with the kind of folks that are in your company," he says. "It shows that you have the breadth to go beyond security."
2. Finding something to excel in besides technology; people management, for example. "That's neutral territory; all aspects of your organization need good people management," Corby says. "If you demonstrate you manage people well, you're more likely to grow your staff or accept responsibility for additional staff."
3. Taking an interest in the core business. Many industries, including insurance and banking, offer courses for professionals looking to learn more about the business, he says. "It's something you can do to get some letters after your name," he says.
4. Running the security department as its own business. Corby offers the example of when he was CIO of a large consulting company he put together a business within a business, with dedicated roles such as finance and marketing. "If you can do that, it shows you can run a business," he says.
5. Having patience. "Don't expect to become CEO overnight," he says.