Succeeding in a pressure-filled world of auditors and cyberthreats requires skills in business, technology, people and more.
With a load of regulatory requirements, auditor scrutiny and evolving cyberthreats, it's a pressure cooker for an information security executive these days. How's a security manager supposed to survive, let alone succeed, in the enterprise?
A big part of the answer has become a CISO mantra: Technology skills aren't enough; a security professional also needs business know-how. A successful one understands how the business works and can speak in terms the C-suite comprehends.
"We're there to facilitate the business, not hinder it. In order to do that, you have to be able to pull your head out of the ones and zeros and speak intelligently to people who don't understand the ones and zeros," says Dave Lewis, senior information security officer at the Independent Electricity System Operator (IESO) in Ontario, Canada.
Some security professionals are so focused on blocking attacks that they overlook how a threat affects their particular business, he says: "You have to understand what your business does and the risks involved for your business."
The ability to translate security threats to business risks is critical for getting a seat at the executive table, says Tim McKnight, vice president and CISO at defense contractor Northrop Grumman. And when you get time with the C-suite or the board, use your time wisely, advises Gene Fredriksen, principal consultant at Burton Group and former CSO at Raymond James Financial.
"You don't want to bring FUD.... You're never going to get more with those people than a few minutes at a time," he says.
Rather than virus statistics, talk about how security can help cut costs, reduce risk, improve compliance or enhance time-to-market. For example, if your organization grows primarily through M&A activities, talk about how security systems can help, Fredriksen says.
Along with business-speak, security executives need strong leadership and communication skills, and should focus on developing their employees' talents, says McKnight.
"If you don't have the best talent around you, you're not going to succeed," he says.
| Lost in Translation
There's a lot of jargon in security that can turn off business executives. Here are some common terms translated into plain English.
In fact, more than technical aptitude, future CISOs will need people skills, says Khalid Kark, senior analyst at Forrester Research. That's because they need to get buy-in at the executive level, and also need to educate and train end users about security threats and secure practices.
"CISOs will not be technology experts, they will be more people experts if they want to succeed at their jobs," Kark says.
Not so fast, says Tim Maletic, manager of information security and information services security officer at Priority Health, a Michigan-based health insurance company. He agrees that people skills are essential--a security professional has to be a jack-of-all-trades and deal with many different groups in an organization--but says technical ability is critical too.
"You can't get so far behind the times with what's going on with current technology that you're getting blindsided or are missing opportunities as new projects are coming through and not seeing how they relate to risk for your organization," he says.
Maletic says he finds himself pulled between the two worlds of business and technology. Building a strong team has helped manage that; he can tap his engineer's expertise with the latest technology.
He and other security officers also are finding ways to deal with the pressure of ever-present auditors. People skills come in handy on that front.
"You want to make auditors your friends. You need to work cooperatively with them," Maletic says. "My internal auditors are very much partners with me. We share information, keep each other in the loop."
IESO's Lewis says auditors shouldn't be treated as the enemy, a misconception common among some in IT: "Audi- tors are there to help you improve your business, not to flame broil you."
However, external auditors can present a different challenge, Maletic notes. In those cases, it's not so much about collaboration as about defining business requirements.
"And making sure that [with] each objective or control being tested, you can reach an agreement with your auditor about the value and not just roll over and let them do it a hundred percent their way," he says.
Regulatory compliance has been frustrating and time-consuming for CISOs, but a framework such as ISO 27001 can help address multiple regulations instead of dealing with them piecemeal, according to a Forrester survey.
| Layman's Terms
Executives have their own language with an alphabet soup of acronyms. Here are some phrases and what they mean.
Cash flow statement
Cost plus pricing
| Layman's Terms (continued)
Program Evaluation and Review Technique (PERT)
With all the evolving regulatory requirements, it also helps if security officers have some legal know-how, says Michael Rasmussen, a vice president at Forrester. They can't necessarily rely on corporate counsel to keep up with the IT impacts of various regulations.
"The CISO definitely needs legal skills today as compliance has been one of the No. 1 drivers of security in the last couple years," he says.
Burton's Fredriksen says industry organizations such as BITS, a consortium of financial-services C-level executives, can help security professionals keep up with emerging legislation and regulatory issues. Proactive security officers get involved and participate in the public processes related to proposed legislation and are ready to offer their organizations thoughtful advice on new issues, he adds.
Others agree that it's important for security officers to be active not just inside their organization but outside as well: "Whether you're affecting legislation that could impact your corporation or whether it's just being an advocate for education in information security in the academic world," says Northrop Grumman's McKnight.
Maintaining strong peer relationships also can help a CISO succeed, he says. For example, he can call peers at other companies to learn how they handled a particular issue.
More and more, the CISO is transitioning from a security-focused role to a holistic risk management role, McKnight says. "There are trade-offs, certain levels of risk you're willing to take," he says. "Defining that risk for the company and the business owners is essential."
Forrester's Kark predicts that the CISO job of the future will be more about information assurance rather than information protection.
There are many certifications and academic programs to help security professionals boost their careers.
Certified Information Security Manager (CISM)
Certified Information Systems Security Professional (CISSP)
Certified Protection Professional (CPP)
Global Information Assurance Certification (GIAC)
Professional Certified Investigator (PCI)
Carnegie Mellon University, Information Networking Institute
Georgia Institute of Technology, College of Computing
James Madison University
Johns Hopkins University Information Security Institute
Kennesaw State University
Purdue University, Center for Education and Research in Information Assurance and Security (CERIAS)
Rochester Institute of Technology
Stevens Institute of Technology
*This is a representative list.
Keeping a security team from being pulled apart by auditor demands is a tough balancing act. by David Mortman