For CISOs, fitting in was never so hard

By Eric B. Parizo, News Editor 07 Feb 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Chief information security officers are beginning to drift away from their companies' information technology hierarchies, and the career ambitions of their underlings may not look as bright as a result.

It may sound frightening, but it's just a natural industry evolution, according to research findings from Stamford, Conn.-based Gartner Inc.

Its recently released research summary, The top five issues of chief information security officers, outlines key issues challenging CISOs and their organizations heading into 2006. Foremost among them, said author and Gartner Vice President and Role Service Director F. Christian Byrnes, is whom CISOs will report to, and who reports to them.

Even though the CISO position is still relatively new, Byrnes said a number of large organizations with a mature outlook on security have adjusted their hierarchies so that, instead of reporting to a CIO or director of IT, the CISO reports to a chief risk officer (CRO), who answers directly to the CEO or board of directors.

"It just makes life so much easier," Byrnes said, noting that it not only demonstrates that an organization's leaders are dedicated to mitigating business risks, but also makes it easier for CISOs to justify security expenditures. "If you work for the CRO, all you have to do is prove that [a purchase] is an intelligent business decision."

Byrnes said Gartner estimates that 30% of its clients have already adopted the organizational model, and more will over time. He said many CISOs have found that as their companies' understanding of and interest in security increases, their bosses, often CIOs, don't possess the clout needed to accomplish what often amounts to a radical strategic shift.

The five issues Here are Gartner's top five strategic questions for the role of CISO:   Where should CISOs stand in relation to the organization? How does governance affect the CISO? What role does the CISO play in the budgeting process? How does security architecture affect security program management? How will regulatory compliance issues affect the CISO?

That organizational change is being driven largely by compliance. Byrnes, who is heading up Gartner's new effort to track the convergence of information security and high-level business issues, said compliance mandates -- specifically adhering to the requirements of the Sarbanes-Oxley Act of 2002 (SOX) -- force companies to change their organizational structures and their spending patterns to stay within the guidelines.

"We had seen the trend prior to SOX, but since then it's caused the preexisting trend to explode," Byrnes said. "Compliance spending right now is probably close to its peak, but there are still lots of organizations that haven't absorbed how to be compliant."

While the change may make life easier for CISOs, it's not good news for some security specialists. Byrnes said that as the CISO moves out of the IT organization, the security specialists who go with him often find that their careers struggle as a result.

For instance, if a company's CISO is responsible for intrusion detection, then IDS specialists may transition with him or her into a group outside of IT. While that team would likely specialize in monitoring, forensic network analysis and recovery processes, there would be little career development and far fewer opportunities to move up the ladder than in the larger IT organization.

Essentially, Byrnes said, it's an irresolvable conflict.

"The question becomes how many functions should migrate outside of IT, because security has a lot of technical requirements," he said. "We know certain security functions will move out of IT with the security officer, but unluckily that 'dead-ends' most of the other people who make the move."

Plus, Byrnes added, even though risk auditors may like having security functions separated from IT, a CISO would only be responsible for security policy management, calling into question which group has the power and the ability to monitor policy enforcement.

"That brings you right back to the problem of if IT is monitoring enforcement," he said, "and [if] the systems administrator is the person stealing things, who is going to catch them? Who is motivated to?"

Though questions about the changing role of the security officer will linger for some time, Byrnes said the transition will help CISOs be more effective in the long-term. That's because many of them rely on their IT background, mistakenly underestimating the importance of talking with business managers and reaching a common understanding about the role security plays.

"I can give you an hour and a half on why awareness programs haven't worked and where they have to be five years from now," Byrnes said. "If the CISO comes in and focuses on technology, they may never figure out why they were fired."

Tags: Information Security Jobs and Training,  Sarbanes-Oxley Act,  IT Security Audits,  Enterprise Risk Management: Metrics and Assessments,  Information Security Policies, Procedures and Guidelines,  Security Awareness Training and Internal Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information Security Jobs and Training Security School Course Catalog from SearchSecurity.com RSA security conference 2010: news, interviews and updates Straight from the inbox: Your infosec career questions answered Despite recession, information security certification pay continues to climb Bruce Schneier on outsourcing, awareness training Creating a personal brand in information security Feds push cybersecurity jobs, PCI DSS changes ahead. Feds announce 1,000 new security jobs Some IT security certifications are overvalued, analyst says How to prepare for an information security job interview Sarbanes-Oxley Act SOX compliance burdens midmarket security teams Ex-SEC chief Pitt decries state of Sarbanes-Oxley, risk management Information security book excerpts and reviews Internal audits for Sarbanes Oxley and internal IT support Internal auditors and CISOs mitigate similar risks Implement security and compliance in a risk management context Does password sharing in international branches violate SOX? Consensus Controls project aims to set benchmarks for compliance Security visualization helps make log files work The Little Black Book of Computer Security, 2nd Edition Sarbanes-Oxley Act Research IT Security Audits Standards compliance does not equal sound information security risk management Tony Spinelli: Prioritize Information Security over Compliance How to prepare for a FERPA audit MasterCard increases PCI compliance requirements for some merchants How to select a set of network security audit guidelines How to write a risk methodology that blends business, security needs PCI compliance requirement 11: Testing Using IAM tools to improve compliance Forensic accounting success depends on information security support HIPAA compliance: New regulations change the game

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Cisco Certified Security Professional (CCSP)  (SearchSecurity.com) CSO  (SearchSecurity.com) security clearance  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary