This article can also be found in the Premium Editorial Download "Information Security magazine: CISO survival guide: 18 of the best security tips."
Download it now to read this article plus other related content.
Succeeding in a pressure-filled world of auditors and cyberthreats requires skills in business, technology, people and more.
With a load of regulatory requirements, auditor scrutiny and evolving cyberthreats, it's a pressure cooker for an information security executive these days. How's a security manager supposed to survive, let alone succeed, in the enterprise?
A big part of the answer has become a CISO mantra: Technology skills aren't enough; a security professional also needs business know-how. A successful one understands how the business works and can speak in terms the C-suite comprehends.
"We're there to facilitate the business, not hinder it. In order to do that, you have to be able to pull your head out of the ones and zeros and speak intelligently to people who don't understand the ones and zeros," says Dave Lewis, senior information security officer at the Independent Electricity System Operator (IESO) in Ontario, Canada.
Some security professionals are so focused on blocking attacks that they overlook how a threat affects their particular business, he says: "You have to understand what your business does and the risks involved for your business."
The ability to translate security threats to business risks is critical for getting a seat at the executive table, says Tim McKnight, vice president and CISO at defense contractor Northrop Grumman. And when you get time with the C-suite or
"You don't want to bring FUD.... You're never going to get more with those people than a few minutes at a time," he says.
Rather than virus statistics, talk about how security can help cut costs, reduce risk, improve compliance or enhance time-to-market. For example, if your organization grows primarily through M&A activities, talk about how security systems can help, Fredriksen says.
Along with business-speak, security executives need strong leadership and communication skills, and should focus on developing their employees' talents, says McKnight.
"If you don't have the best talent around you, you're not going to succeed," he says.
This was first published in July 2007