What are some of your day-to-day responsibilities?
Norris: I don't do operational security. My job is more about developing policy requirements, performance measurement, risk management and reporting; lots of a reporting to OMB (Office of Management and Budget). I report directly to the CIO.
How's that relationship?
Norris: It's not always ideal in the corporate world. It works well, but we also don't have a choice because FISMA is explicit. FISMA puts responsibility for information security on shoulders of CIO, who delegates that in turn to the senior agency information security officer.
What kind of data does your office secure?
Norris: Different levels of data: unclassified, sensitive for unclassified, classified. And the types of data could be anything from communiqués to the field, to demarcation to the politicians, consular information on passports, visas.
Should future CISOs be business people? IT people? both?
Norris I think you need a mix [of skills]. You definitely need to understand the business you're in. I've been in IT in the State Department almost 20 years, but having served overseas a lot, I think I understand our business fairly well. That is imperative.
Do CISOs really need to learn to speak the language of business? Is that the must-have skill?
Norris: I don't know so much as speaking the language of business as speaking in plain English and not being wed to all those techie acronyms.
You need marketing skills; you talk to a lot of people and you've got some good ideas, but if you don't have the marketing skills, you're never going to get things sold. You also have to be able to make your case quickly and easily.
How does it apply in your case?
Norris: In my area, if you can't make your case in one page, you're never going to get in the door. If we were to send up a decision memo, or an information memo as we call them, to the undersecretary for management, we're limited. It's got a definite format. It's a one-pager and it's got to make a compelling case. She may later invite us up to brief, but you've got to get their attention in the one page.
It's like an elevator conversation. If you can state your case in three or four floors and get their attention, it's a real skill.
Would you suggest taking classes to hone those skills?
Norris: Sure, why not? Go to Toastmasters to learn your speaking skills. So many people in our business, if they come up through the IT world, they're not very good at public speaking or writing, or project management. Those are skills I encourage.
How many CISOs have this mix of skills?
Norris:Most of the successful ones do. It's real interesting, many of us were involved in Y2K, and I think that was the first time that I understood how important the business side of things was. That was my crusade. Hey this isn't an IT problem, it's a business problem.
Do many still work in isolation as solely an IT person?
Norris: There are these purists out there, and that's great. We need them. But are they going to make the next level? I don't really think so, not if you're going to be locked into that kind of thinking.
Public speaking, writing, project management: These are probably four-letter words to purists?
Norris: Probably, but it depends what you want to do. What are your interests? Some people want to be technologists all their days, and we certainly need them, but you can't be so embedded. If you're going to be a successful CISO, you've got to show security is a business enabler. I've been saying this for four years. I'm still surprising people with that. My job isn't to say no, it's to say how.
About the author
Michael S. Mimoso is Senior Editor of Information Security magazine.