Home > Information Security Magazine > Columns > Perspectives
EMAIL THIS LICENSING & REPRINTS
Information Security Magazine

  CURRENT ISSUE  
  FEATURES  
  COLUMNS  
  HOT PICK & PRODUCT REVIEWS  
  ARCHIVES  
  SUBSCRIBE/RENEW  
  

Perspectives
by Dave Shackleford
Issue: Nov 2007
printer-friendly
licensing & reprints
< PREV PAGE   |   1  |   2  |   NEXT PAGE  >

Being a figurehead in operations isn't enough; CISOs need risk management know-how.


Let me begin by saying I'm friends with many CISOs, and I have done significant business with, reported to, and have been a CISO. During the past five years, I've seen trends that lead me to believe the CISO role needs an update, and those who fail to recognize this may soon wonder where their careers went.

Most CISOs I have run across are trying to build and maintain empires with hands-on operational employees, such as firewall administrators, intrusion detection specialists and forensic analysts. In most IT organizations, however, there already are well-established operations teams that cover network infrastructure, server and desktop administration, application development and maintenance, and other areas. As security has evolved from a niche discipline into something every IT professional should be aware of, it makes more sense to take a strategic approach by migrating similar operational functions into well-established groups that overlap with security. Trying to win the headcount war is a losing battle for security managers.

Even in larger organizations with big security staffs, many CISOs have very little political power. Research indicates this problem stems from a poorly defined role for information security management. Last year, Gartner released a study on the top five issues for CISOs; chief among them is the matter of whom CISOs report to, and who in turn reports to them. Most organizations place the CISO in the IT hierarchy. This invariably leads to the CISO being another operational player, with the same strategy for acquiring budget, headcount and attention from executive management.

Over time, information security operations will migrate to other areas of IT. Network intrusion detection and firewall management will move to network operations, server hardening and file integrity monitoring will fall under systems administration, and application security will be the responsibility of development teams. Where does this leave CISOs and other security managers? How can CISOs become real strategic players and not just security figureheads within IT operations?

< PREV PAGE   |   1  |   2  |   NEXT PAGE  >





TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineWebcastsWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts