This article can also be found in the Premium Editorial Download "Information Security magazine: CISO survival guide: 18 of the best security tips."
Download it now to read this article plus other related content.
In fact, more than technical aptitude, future CISOs will need people skills, says Khalid Kark, senior analyst at Forrester Research. That's because they need to get buy-in at the executive level, and also need to educate and train end users about security threats and secure practices.
"CISOs will not be technology experts, they will be more people experts if they want to succeed at their jobs," Kark says.
Not so fast, says Tim Maletic, manager of information security and information services security officer at Priority Health, a Michigan-based health insurance company. He agrees that people skills are essential--a security professional has to be a jack-of-all-trades and deal with many different groups in an organization--but says technical ability is critical too.
"You can't get so far behind the times with what's going on with current technology that you're getting blindsided or are missing opportunities as new projects are coming through and not seeing how they relate to risk for your organization," he says.
Maletic says he finds himself pulled between the two worlds of business and technology. Building a strong team has helped manage that; he can tap his engineer's expertise with the latest technology.
He and other security officers also are finding ways to deal with the pressure of ever-present auditors. People skills come in handy on that front.
"You want to make auditors your friends. You need to work cooperatively with them," Maletic
IESO's Lewis says auditors shouldn't be treated as the enemy, a misconception common among some in IT: "Audi- tors are there to help you improve your business, not to flame broil you."
However, external auditors can present a different challenge, Maletic notes. In those cases, it's not so much about collaboration as about defining business requirements.
"And making sure that [with] each objective or control being tested, you can reach an agreement with your auditor about the value and not just roll over and let them do it a hundred percent their way," he says.
Regulatory compliance has been frustrating and time-consuming for CISOs, but a framework such as ISO 27001 can help address multiple regulations instead of dealing with them piecemeal, according to a Forrester survey.
This was first published in July 2007