SAN FRANCISCO -- Face it, you've thought about moving up the corporate food chain to CSO. Maybe you've made it happen. With more companies creating a chief security officer, or a comparable title, there are more opportunities to ascend to that role. Your best bet at getting the job -- and keeping it -- is to think more like a "suit," less like a geek.
"Your knowledge has to expand beyond your technical skills," said Lisa Johnson, global information security officer for Nike Inc. Johnson earned an MBA to learn "the lexicon of business" and continually reads business magazines to stay on top of trends, such as supply chain changes, that could impact her programs.
Johnson's advice came from a CSO panel at the RSA Conference that touched on what it's like to be in charge of security at a
Nike, for instance, isn't devoting more money this year to its internal security. Instead, Johnson's planning to optimize what she already has. "I think we have very good tools. I don't think we've leveraged all the functionality available in them," she said.
Karen Worstell, the new CSO at Microsoft, said it's important security be viewed as a business enabler, not as a deterrent to productivity, where employees must take additional steps or alter processes to help guard their work. "Finding the translation for that is not easy," she said.
Like Johnson, Dennis Devlin, vice president and CSO of The Thomson Corp., soaks up business publications to better understand how to manage the people within an organization. "The technology is very, very important, but the people and the process are probably becoming even more important." He said more emphasis must go into teaching employees to think differently about their roles within a company, particularly when it comes to social engineering. "Ultimately, each employee in a corporation is one of the gatekeepers."
Everyone on the panel, which also included security executives from Oracle Corp. and Seibel Systems Inc., agreed that pressure will continue mounting on security departments, especially those in heavily regulated industries, and that all CSOs must take ownership of their networks and systems. Also, don't expect to be popular and don't shy away from telling the truth about a company's security posture.
"This job is about stewardship. It's not about a title," Microsoft's Worstell said. She recalled the words of a former boss, who said you should come to work every day prepared to be fired. "It's not about the fear," Worstell said, "but you're still going to have to be the one who stands up and says what they may not want to hear."