This article can also be found in the Premium Editorial Download "Information Security magazine: Exclusive: Security salary and careers guide."
Download it now to read this article plus other related content.
Walk the Walk, Talk the Talk
It all starts with really knowing your business. More than 80 percent of the executives we surveyed believes that understanding a business's unique challenges is very important.
"CISOs are people who can be incredibly tech- and detail-oriented, but they have to step back and look at the larger picture," says Ruth Harenchar, CIO for legal services firm Hobart West Group.
The big picture includes the abilities to balance risk against business needs and make good judgment calls, explains Jeff Huegel, CSO of USi, an application service provider of enterprise and e-business solutions. "If you want to enter the executive ranks, you need to understand business strategies, financial bottom lines and decision making around the businesses' organizational purposes," he says.
Security is not cut and dried. The keys to being a successful security executive are balancing the risks and accurately communicating and portraying some risks as more serious than others, says Harenchar.
While security may be your expertise (and comfort zone), it is important to realize that, when an executive makes a business decision, it is only one piece of the puzzle.
"Security isn't the linchpin; it's just another facet to understand," says Peter Gregory, a senior security specialist with more than 20 years of experience. "Security experts aren't the only ones bringing information to the table--legal, R&D and sales, among others, have their say, too. A good security professional wants business leaders to make an informed decision."
"During my tenure as CISO, I saw bright people that were much better technically at security than I was," explains Ken Tyminski, consultant and former CISO for a large financial services firm. "But they didn't always understand how to evaluate business risks, and often focused on having the best security technology rather than addressing the business risk."
Perceived shortcomings in security professionals, say our survey respondents, are seeing things as black or white and squelching projects outright. As one senior-level executive put it, "You need to lead the way, not get in the way."
You have to be business savvy and be able to sit down with anyone in the company to understand their problem and their needs, says Huegel. "Most of the time you will be talking to people who don't know the fundamentals of security technology," he says.
This was first published in July 2006