When CSO Jim Wade resigned from the Federal Reserve last year, he left behind a road map for his successor to help keep security initiatives on track. "Even though we weren't truly planning for my departure, the fact that I decided to leave had less impact on the program."
Wade's transition as the new senior VP and CSO for Cleveland-based Key Bank, he says politely, "was a little more bumpy." And more typical.
Most organizations now acknowledge the role of infosecurity in enterprise risk management. Still, the long-term success of the security program depends on the unwavering support and sponsorship of executives and IT management. When there's turnover in the upper ranks--particularly the CIO or its equivalent position--it can spell trouble.
"It's pretty disruptive to the whole IT structure," says Kate Borten, president of the consultancy Marblehead Group. In addition to serving as CISO of health care provider CareGroup, Borten spent more than 20 years designing, implementing and integrating health care IT systems for several Boston-area hospitals. During that time, she worked through several CIO changes.
"Any kind of initiative, any technology initiative, is likely to be disrupted when there's no leadership, even if the new leader says, 'Don't stop what you're doing, but put it on pause until I can be brought up to speed and see if it's part of my agenda.'"
Wade, who also is president of the International Information Systems Security Certification Consortium (ISC)2, says it doesn't have to be that way.
"When you think about it, none of us--even though we're important or at least think we are--should be a single point of failure," he says. "Information security is getting to the point within corporate America that it has a major influence on how we do business. A lot of things come to us for the ultimate decision."
However, a recent Information Security survey on security governance suggests there's still little standardization in where security reports. Partly that's because the profession has yet to convince senior management that it belongs on the business side of operations, and not necessarily within IT. And, often, the program isn't formalized, consisting merely of a lone IT person or two suddenly shouldered with responsibilities for security.
Some CISOs answer directly to the CIO, CFO, CTO or CEO. Regardless of the reporting structure, odds are that a key player eventually will leave, and that could delay or destroy security initiatives.
"In my case, I've seen that when a reporting structure changed, so did the priority and effectiveness of the security, especially when security is under the general direction of a CFO," wrote one of the 880 security professionals responding to Information Security's survey.
The scores of candid comments from mostly anonymous sources speak of the high level of frustration that still pervades an industry trying to find its role--a more prominent one, to be sure--within an organization. Among the survey's findings:
- The top security person falls under a constellation of titles and assumes a variety of duties. Only 18 percent report directly to the president or CEO, and a mere 4 percent report directly to the board of directors. "Having the top information security person, whatever the title, report to the president/CEO is a clear indication to all employees of the importance of infosecurity in the organization," explained one survey respondent.
- Though formal security programs are gaining popularity, they remain nascent or nonexistent at small companies, which represent a majority of the survey respondents. That most likely explains why 43 percent couldn't comment on turnover--it's yet to be determined what impact it will have on continuity. That said, more were able to determine, or perhaps speculate, that turnover of their top infosec person's supervisor wouldn't impact their security program's effectiveness.
- In at least 45 percent of cases, security personnel answer directly to IT, fueling the ongoing debate about whether infosecurity and information technology can peacefully coexist, rather than compete for funding and manpower. Plenty of comments also focused on the need for security to be considered as a business need, not just a technology issue.
- Turnover of top infosec jobs averages three years, two months--a little better than the top-end average for the more closely tracked CIO position.
Only about 40 percent of U.S. companies have a formal security program, according to market research firm META Group. But even for smaller, less defined programs, the CIO position is needed for security personnel to push through practices, policies and procedures. And though CIO tenure appears to be stabilizing in recent years, there remain enough organizations with high turnover to keep the average tenure between 18 and 36 months nationwide.
That figure doesn't surprise Wade. "It happens all the time within corporate America today because of promotions or moving on with their life," he says. "It's been my experience that people who have been senior managers over the information security function tend to get promoted off. They're usually very good at what they do."
But such "promotability" has a consequence.
"Security programs take three years to establish value," says Christian Byrnes, VP and director of security for META Group. "So, if the CIO changes every 18 months, a security program never has a chance to succeed." It may take three years for a security program to be fully realized, but Byrnes and others say that's no reason to wait so long to show a program's worth. In fact, whether it's the CISO or a lone designate, it's important to produce quarterly deliverables that reflect security's value to the overall business model. And to do it before there's a need to defend your projects.
"Rather than wait for the CIO to come and ask what you're doing, take a proactive stance," recommends Alfred Passori, a CIO mentor and META security analyst. "Make sure you're not only communicating your road map to the incoming CIO, but to the IT organization and other lines of business."
That means taking the time and manpower needed to figure out the company's level of risk, and then preparing a course of action to mitigate those risks. Included in plans should be infosecurity's mission and how it fits the enterprise's vision and business plan. It also should include specific operational needs and capital expenses. Most importantly, the CISO should expect at the very least to provide quarterly updates--and deliverables.
Sounds like standard advice, right? So why isn't it done more frequently?
For one thing, few methodologies are available to guide the process, which is surprising when you consider the growing number of security programs grappling with continuity and governance issues. META devoted four people working more than four years to compile its comprehensive document, now in its third version and including 300 task levels.
There's also the nature of the field and its practitioners, increasingly stretched by corporate downsizing and growing threat of network invasions.
"Everything is a fire drill, and there's no overriding strategic plan or even assessment of what the business needs from a risk management standpoint," Passori says.
Just who is called in to replace an outgoing CIO also can heighten frustration levels, particularly if he or she is deemed a bad fit. "The greatest damage in turnovers isn't in the turnover itself, but rather in placing an inexperienced or unqualified person in charge," wrote one Information Security survey respondent.
Wade says much of his training in what he calls "succession planning" came from the school of hard knocks.
"Like anything else in our business today, if you don't have a plan in advance, when it [turnover] happens, you're not going to be ready," he says. "As unpleasant as it might be at having to change jobs or have a new boss that might not agree with you, the key is to plan and not set yourself up for failure."
Anne Saita is Information Security's senior editor and West Coast bureau chief.