News Stay informed about the latest enterprise technology news and product updates.

How to be a CSO (Or just look like one)

For starters, brush up on your business skills. Here's a look at what it takes these days to lead an enterprise's security program.

SAN FRANCISCO -- Face it, you've thought about moving up the corporate food chain to CSO. Maybe you've made it...

happen. With more companies creating a chief security officer, or a comparable title, there are more opportunities to ascend to that role. Your best bet at getting the job -- and keeping it -- is to think more like a "suit," less like a geek.

"Your knowledge has to expand beyond your technical skills," said Lisa Johnson, global information security officer for Nike Inc. Johnson earned an MBA to learn "the lexicon of business" and continually reads business magazines to stay on top of trends, such as supply chain changes, that could impact her programs.

Johnson's advice came from a CSO panel at the RSA Conference that touched on what it's like to be in charge of security at a

More from RSA

Experts weigh in on phishing and other e-pariah
Protections against intrusions and productivity drainers like spam are improving, but so are the bad guys. An RSA Conference town meeting addresses what law enforcement's doing about it.

Open source tools: A thrifty security manager's best friend
Secure your custom applications using open source security tools.

RSA 2005: A chat with Sybari's Joe Licari
Check out an insider's perspective on Sybari's latest initiatives and what Microsoft's acquisition plans could mean for users who buy in now.

time when attacks are up, consumer confidence is down and some budgets just aren't budging.

Nike, for instance, isn't devoting more money this year to its internal security. Instead, Johnson's planning to optimize what she already has. "I think we have very good tools. I don't think we've leveraged all the functionality available in them," she said.

Karen Worstell, the new CSO at Microsoft, said it's important security be viewed as a business enabler, not as a deterrent to productivity, where employees must take additional steps or alter processes to help guard their work. "Finding the translation for that is not easy," she said.

Like Johnson, Dennis Devlin, vice president and CSO of The Thomson Corp., soaks up business publications to better understand how to manage the people within an organization. "The technology is very, very important, but the people and the process are probably becoming even more important." He said more emphasis must go into teaching employees to think differently about their roles within a company, particularly when it comes to social engineering. "Ultimately, each employee in a corporation is one of the gatekeepers."

Everyone on the panel, which also included security executives from Oracle Corp. and Seibel Systems Inc., agreed that pressure will continue mounting on security departments, especially those in heavily regulated industries, and that all CSOs must take ownership of their networks and systems. Also, don't expect to be popular and don't shy away from telling the truth about a company's security posture.

"This job is about stewardship. It's not about a title," Microsoft's Worstell said. She recalled the words of a former boss, who said you should come to work every day prepared to be fired. "It's not about the fear," Worstell said, "but you're still going to have to be the one who stands up and says what they may not want to hear."

Dig Deeper on Information security certifications, training and jobs

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.