BOSTON (05/15/2000) - Information security officers (ISO) often struggle to be successful. Many find they can't improve security because they're unappreciated by their bosses, ignored by the business managers they're supposed to serve, adrift in technology they don't fully understand, ridiculed or ignored by auditors and systems administrators, or all of those things.
But not all ISOs are grumbling and falling short. Ten out of the 120 with whom we recently spoke appeared to be respected and supported by their bosses, sought out for counsel by business managers and accepted and appreciated by the systems administrators. That combination allows them to make major advances in improving security.
Three habits seem to make those 10 ISOs different:
1. They made security part of the business process rather than a barrier to business growth. They did this by automating configuration management and security testing, establishing processes that ensure that security is designed into new systems early and working with business units to make new systems as safe as possible while still deploying those systems quickly enough to maintain competitive advantage.
2. They hired top-flight technical talent for their security teams to enable effective discussions with systems and network administrators as well as application developers. Says one, "Every organization I've worked for has [initially] had a technically weak and thus despised security function. Usually what we do is replace the technically hopeless with smart technical security people."
All 10 say security was more than a technology problem, but none takes pride in being "nontechnical." One highly successful ISO who didn't have a budget for a technical staff compensated by immersing himself in courses on advanced security technology, from interpreting IP headers to updating firewall rule sets to running hacker exploits. His answer on how he was able to master the technical material: "It's not rocket science."
Technical skills protect ISOs from the profession's most common error: writing policies and procedures that can't be implemented.
3. Six ISOs earned support from top management by succeeding in other important corporate roles before becoming security officers. They negotiated their authority before accepting the ISO role. Because the quality of their judgment was already proven, they had confidence to act forcefully and forge partnerships that worked.
What if you find yourself in an ISO position without the respect and support of top management? You could whine, but that's a career-limiting move. Instead, partner with the technologists or take the opportunity to immerse yourself in technical training.
ISOs have a unique responsibility for ensuring security. When they fail, they put their organizations and others on the Internet at risk. But they don't have to fail if they follow the lead of these pioneers.
ALAN PALLER is director of research at the SANS Institute in Bethesda, Maryland. You can contact him at firstname.lastname@example.org.