This article can also be found in the Premium Editorial Download "Information Security magazine: Exclusive: Security salary and careers guide."
Download it now to read this article plus other related content.
|It's the Can-do Attitude|
Experian's CISO makes security an enabler
Name: James Christiansen
Title: Experian CISO
Key career move: Switching from engineering to information security at Visa
James Christiansen was an engineering executive at Visa International in the late '90s when the company suffered a very public, embarrassing incident involving a stolen laptop. Intent on preventing similar events, the company's IT president asked Christiansen what it should do. Christiansen went to work on a business plan, scouring the Internet and anything he could get his hands on regarding security best practices. He handed the president his plan with the recommendation that Visa create an information security division and got a quick answer: Do it.
Eight years later, after becoming Visa's first information security officer and then the worldwide CISO for General Motors, Christiansen has taken up a post as CISO at credit and financial services firm Experian. He credits his success to his combination of technical and business experience.
At Visa, he directed the project management office and worked in IT financial management before moving into engineering. He also worked as the business relationship manager of call center operations at Household Credit Services, and, before that, worked in various database, systems engineering and programming jobs. His professional credentials include an MBA.
In Christiansen's opinion, a CISO needs deep technical grounding balanced with a strong understanding of business; using jargon and fear to convince the CEO of the need for security is "the loser approach," he says. "You need to be able to translate the issues into terms the CEO can understand."
That skill of couching security in terms of driving revenue last year helped him to earn an unusual honor for a security official: an award for his contribution to Experian's sales.
Instead of always saying no, it's critical for a CISO to figure out a way to build on the company's initiatives while still retaining confidentiality and data integrity, he says. "You've got to find a way to say 'yes.'"
Lloyd Hession, CSO for BT Radianz, a New York-based provider of secure connectivity for the financial industry, says that funding is being funneled to audit teams--away from those doing security work. He fears salaries may have leveled off for those reticent to take the plunge into risk management. "The auditor keeps the CEO out of jail and has a seat at the big table," Hession says. "Audit people have moved up in prominence while everyone else has [moved] down." According to Alta's Brocaglia, salaries have leveled off as skills have gotten commoditized and/ or outsourced.
"If a premium is paid anywhere, it's for the information risk area," she says. "Folks who are truly paid the most generously are the tri-athlete candidates: they have strong business acumen, a good technology base and the ability to communicate. Companies are asking for program managers and people who tie together disparate security aspects of business units, manage the entire function and present that package to the board or senior executives."
If paychecks are any indication, companies value a combination of IT and auditing skills. CISOs increasingly have more of a business-process background than one of strictly computer security or engineering. SANS found that managerial types--like senior security executives (CISO, CSO) and senior policy executives (CTO, director of IT operations)--make $106,326 per year, and technical security pros earn on average $75,275 per year. Security analysts and network security architects (positions with a technical focus) earn a median salary of $74,200 per year, according to Foote Partners.
The CISO must have strong business acumen and articulate technology solutions to a diverse audience, says Tracy Lenzner, CEO of LenznerGroup, an executive recruitment firm. Says Brocaglia, "There's a direct correlation between the increase in offers made to those candidates who have a more holistic approach of risk and executive management skills, which are required for other executives in a company."
This was first published in July 2006