PING with Jane Scott Norris

In an interview with Information Security magazine, Jane Scott Norris, Department of State's first CISO, offers some insight on what it takes to become a CISO.

Future CISOs owe a debt of gratitude to people like Jane Scott Norris. Not only is this government veteran a trailblazer as the Department of State's first CISO, but longer than most, she's been evangelizing the need for security managers to learn the businesses they serve. A technology background is vital, but Norris is an advocate for sharpening your marketing, speaking, writing and project management skills. These may be four-letter words to purists, but today's purist is hard-pressed to be tomorrow's CISO.

What are some of your day-to-day responsibilities?

Norris: I don't do operational security. My job is more about developing policy requirements, performance measurement, risk management and reporting; lots of a reporting to OMB (Office of Management and Budget). I report directly to the CIO.

How's that relationship?

Norris: It's not always ideal in the corporate world. It works well, but we also don't have a choice because FISMA is explicit. FISMA puts responsibility for information security on shoulders of CIO, who delegates that in turn to the senior agency information security officer.

What kind of data does your office secure?

Norris: Different levels of data: unclassified, sensitive for unclassified, classified. And the types of data could be anything from communiqués to the field, to demarcation to the politicians, consular information on passports, visas.

Should future CISOs be business people? IT people? both?

Norris I think you need a mix [of skills]. You definitely need to understand the business you're in. I've been in IT in the State Department almost 20 years, but having served overseas a lot, I think I understand our business fairly well. That is imperative.

Do CISOs really need to learn to speak the language of business? Is that the must-have skill?

Norris: I don't know so much as speaking the language of business as speaking in plain English and not being wed to all those techie acronyms.

You need marketing skills; you talk to a lot of people and you've got some good ideas, but if you don't have the marketing skills, you're never going to get things sold. You also have to be able to make your case quickly and easily.

How does it apply in your case?

Norris: In my area, if you can't make your case in one page, you're never going to get in the door. If we were to send up a decision memo, or an information memo as we call them, to the undersecretary for management, we're limited. It's got a definite format. It's a one-pager and it's got to make a compelling case. She may later invite us up to brief, but you've got to get their attention in the one page.

It's like an elevator conversation. If you can state your case in three or four floors and get their attention, it's a real skill.

Would you suggest taking classes to hone those skills?

Norris: Sure, why not? Go to Toastmasters to learn your speaking skills. So many people in our business, if they come up through the IT world, they're not very good at public speaking or writing, or project management. Those are skills I encourage.

How many CISOs have this mix of skills?

Norris:Most of the successful ones do. It's real interesting, many of us were involved in Y2K, and I think that was the first time that I understood how important the business side of things was. That was my crusade. Hey this isn't an IT problem, it's a business problem.

Do many still work in isolation as solely an IT person?

Norris: There are these purists out there, and that's great. We need them. But are they going to make the next level? I don't really think so, not if you're going to be locked into that kind of thinking.

Public speaking, writing, project management: These are probably four-letter words to purists?

Norris: Probably, but it depends what you want to do. What are your interests? Some people want to be technologists all their days, and we certainly need them, but you can't be so embedded. If you're going to be a successful CISO, you've got to show security is a business enabler. I've been saying this for four years. I'm still surprising people with that. My job isn't to say no, it's to say how.

About the author
Michael S. Mimoso is Senior Editor of Information Security magazine.

This was last published in April 2006

Dig Deeper on Government information security management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.