Add the ability to communicate with top-level management as the new requirement for successful chief information security officers, a panel of experts said today at RSA Conference 2006 in San Jose.
As organizations catch on to correlation between security management and revenue, the job description for CISOs has evolved to include "soft skills," such as the know-how to speak in business terms with managers to win their trust, the four-member panel said during the "Where Will the Next Generation of CISOs Come From?" session.
If that blend cannot work, one part of the company is doomed to fail, said James R. Wade, executive director and chief operating officer for the International Information Integrity Institute. "As long as we're on opposite sides of the spectrum, somebody is going to lose," he said.
Jane Scott Norris, CISO for the U.S. State Department, said security officers must concisely portray how their work affects the company's bottom line. Thinking in terms of profit and loss, they must have a "big picture focus," she said.
"Don't use those acronyms," Norris said. "Don't use all that geek speak. Get right to the point...Security is still fairly unpopular. You have to make your case with senior management to get the budget you want."
CISOs, struggling to find their identity, are largely viewed as outcasts within many organizations, the panel said.
"I thought the "I" in CISO was for introvert," Norris quipped. The key is to "break out of the techie cubicle," said Thomas E. Marshall, associate professor of management information systems at Auburn University.
IT professionals should offer training sessions to employees, the panel recommended. Also, committees should form that include both business and technology leaders within an organization.
That way, management will recognize the CISO has more to offer than, "I can hook this to this," said Betty Pierce, president and chief operating officer of Secure Network Systems.
Certification courses will emerge that mesh both technology and business instruction, the panel predicted.
But, as Marshall admitted, finding a person with an interest in cryptography and accounting will be difficult, although the panel said it hopes younger, aspiring CISOs may be more willing.