To find out just how much the role of IT security leader is changing, SC Magazine caught up with a few of them. As always seems the case in this still developing industry, their titles vary — chief security officer, director, manager — but the challenges they face are similar. We asked them each a handful of pressing industry questions and their answers might surprise you.
And don't be afraid to agree or disagree with the respondents.
We welcome your comments at [email protected].
ANDRE GOLD
Director of information security, Continental Airlines
Q: Many pros claim that getting it right as a CSO/CISO takes 90 percent business acumen and 10 percent security knowledge. Do you agree or disagree?
André Gold: I certainly agree with this. The most precious asset a CSO/CISO has is their relationship with the business units. It's this relationship and the understanding of business processes and objectives that allow the CSO/CISO to have a seat at the table. Without the business acumen, the IT security and IT risk offices will always be viewed as overhead and hindrances to the business and not the enablers and protectors they should be.
Q: What is most important to seek out and accomplish for continued growth as an information security professional?
A: It's "experience." Information security is evolving into IT risk management. We want individuals with more diverse and dynamic backgrounds. Possessing every security certification does not align with or educate an individual about IT risk, but experience can.
Q: What are the top three primary lessons you've learned over the course of your career that have helped you evolve?
A: I've found that best practices don't always translate and aren't sustainable. Common sense security does, though.
Also, it's important to be in alignment with your organizational culture.
Third, the relationship/alignment with business units is vital.
Q: How do you see the role and influence of the CSO/CISO evolving in the corporate world?
A: I think the future is bright, but we as security professionals need to do the following to strengthen our role:
We need to focus on driving value. This means working with the business to draft comprehensive security strategies to support, enable and possibly provide a competitive advantage to the business.
We need to think in terms of "risk" and not IT security. IT security is embedded in best practices and a cult-like culture that is counter to business enablement.
I'm optimistic about change because the security industry has witnessed an infusion of CSO/CISO minds that come from non-security disciplines. The power in the future lies in the assimilation of this resource.
LLOYD HESSION
CSO, BT Radianz
Q: With regulations becoming more mature, how has your reaction to compliance changed?
Lloyd Hession: If your number one priority as a CSO/CISO is not to achieve compliance with regulations, then you are not doing the job your bosses want.
Q: How are you dealing with end-users' increasing desire to work remotely while still having constant access to data?
A: Security of the laptop/remote machine is critical, as it is now essentially the corporate perimeter. Best practice: deploying LAN security tools to limit where people can go internally will also limit where the remote machines can go. Internal LAN security is key. More than just the buzzword of endpoint security, it is controlling at a physical port level where traffic can go in the enterprise, much more than admission control.
Q: Many pros claim that getting it right as a CSO/CISO takes 90 percent business acument and 10 percent security knowledge. Do you agree or disagree?
A: This has a lot of truth, but is becoming a bit of a cliché. Getting it right requires understanding your business, the goals of the organization, and how it delivers value to its customers. Only through going down this path, can a CISO truly add value through steering the organization to a risk tolerance profile that effectively balances risk and return with respect to the goals and values of the organization. The problem is that business acumen all too often translates into making a return, without considering risk. My tag line is "getting it right as a CSO/CISO takes steering an organization to an acceptable balance between business risk and return."
Q: When it comes to training, certifications and plain qualification for the job, what is most important to seek out and accomplish for continued growth as an information security professional?
A: Good business sense and sound judgment are a prerequisite. If you don't have them, go do a business course. Security is not difficult. It really is not even that complicated. If you are a technical type, then training on platforms and tools is a worthy goal. But if you play a broader role in the organization, then you may find the options available for training and certifications do little to advance your career inside your current organization.
If business courses are not your thing, try developing your technical understanding of your organization's environment. For example, if your business runs big databases, go learn Oracle. If you run big networks, go learn how IP and networks really work.
The quality of your relationships with your IT colleagues will go up immeasurably if you can talk their language and understand the value they bring to the team. Plus you will likely better uncover the meaningful risks that the business runs when depending on that given layer of technology, and how to effectively mitigate that situation.
Q: What are the top three primary lessons you've learned over the course of your career that have helped you evolve as an information security professional?
A: Common sense is not that common. Applying it can get you to good enough decisions on accepting, mitigating or assigning risk.
"Best" is the enemy of "good enough." Unless you are safeguarding nukes, aim for "good enough" security. It's all about the weakest link in the chain, not the strongest.
A dollar on security is one less for the business to invest on better products, improving the customer experience, being efficient. There are good reasons you don't get the budget you want.
Q: How do you see the role and influence of the CSO/CISO evolving in the corporate world?
A: The future is clear. The experimentation of a CISO reporting outside of IT is largely over. Audit/compliance sits outside the business line reporting relationship. They have captured the hearts and minds, not least, because they can keep the bosses out of jail.
The future is bright for security in that regulation is a full employment act for the field. It might limit the creativity in the profession, but it will guarantee its growth in numbers, training, certifications and courses.
ANONYMOUS
CSO at a high-tech communications company
Q: The job of chief security or information security officer is still quite a young profession. How do you see the role and influence of the CSO/CISO evolving in the corporate world?
A: I think the future is bright, but the convergence of security disciplines continues. In 5-10 years the role of the CSO/CISO will still be broad operational risk management, but the organization will be led by risk owners at the company. Become one of them or get out of the way.
Q: How are you dealing with end-users' increasing desire to work remotely while still having constant access to data?
A: One must continually layer and refine controls for data in transit or at rest. It's really just an extension of the age-old defense-in-depth methodologies, but focused on mobile/remote. Data should be transitory in nature and encrypted when at rest.
Q: Describe your efforts to educate the end-user?
A: We focus on providing end-users with information useful to them at work and home. As an engineering company, we also appeal to users' natural curiosities by including technical details.
Q: What is most important to seek out and accomplish for continued growth as an information security professional?
A: In order to continue growing as an information security professional you need to invest the time to keep up with the changes by staying engaged across the entire security discipline — from regulation to litigation to forensics to physical access controls to threats.
Q: What are the top three primary lessons you've learned over the course of your career that have helped you evolve as an information security professional?
A: Understand the risk tolerances of your business and what changes them.
Don't be worried about surfacing issues you think are politically sensitive when they impact risk management.
Champion development of security skill sets throughout the company. The more those around you understand about information security, the more likely they are to buy into desired change.
Q: Many pros claim that getting it right as a CSO/CISO takes 90 percent business acumen and 10 percent security knowledge. Do you agree or disagree? Why or why not?
A: I think getting it right as a CSO/CISO takes several skill sets — security, general IT, legal, finance, business acumen, etc. You can have all the business acumen in the world, but without the proper amount of security knowledge, you'll lack credibility in the trenches as an effective leader of the security organization itself.
SECURE THE COMPANY:
The Right structure
Not only do the titles of information security professionals vary from company to company, so does the reporting structure.
Respondents to the SC Magazine/EC-Council Survey, conducted by SC and research firm Millward Brown, report to the CIO, director of security, CEO, CTO, COO and still others.
Jeff Combs, Alta Associate's director of technology risk recruiting, says many pros feel they're not reporting to the right person – and they're right. However, a change is afoot, with some companies deciding that their information security department might be better situated if it fell under the control of someone other than the CIO.
"The more progressive large organizations are rolling up security into IT risk management, into operational risk management," says Combs.
Other companies, though, might have a completely different approach or take the more traditional tactic of having security fall under the CIO. The problem with this, he says, is that there are different kinds of CIOs – some "innovators," who understand the value of security, and other "bean counters," who are trying to limit costs.
Another danger is a structure that calls for the IT security leader to report into the chief financial officer because they too are concerned more with the immediate bottom line than the short- and long-term benefits of a sound information security program, says EC-Council's Sanjay Bavisi, president and CEO.
"This is a Pandora's box," he says. "If I look at the organizations I have met, almost in every instance I've seen a different hierarchical structure and many times I walk [away] scratching my head."
Professional roles are just as diverse. From the list of titles in the survey that participants said best describe their positions, the most often checked box was "other" at 26 percent. Those cited by respondents in this category ran the gamut – from CEO and director of information systems to director of government security or vice president of information systems.
Other titles chosen from the listing in the survey included IT security manager, CISO, CIO, CTO, and director of information security.
The bottom line: In this still maturing market, there seems no standard yet for either hierarchy or titles.
— Illena Armstrong