By JANE SCOTT NORRIS
September 30, 2005
The 2002 Federal Information Security Management Act introduced the
position of chief information security officer (CISO) to the federal
government - albeit with the ungainly moniker of senior agency
information security official. Today, as the CISO position is earning
widespread recognition and increasing stature in both the public and
private sectors, we ask: "Where will the next generation of CISOs come
First, we need to pose and answer two other questions: "What is the
background and experience of current CISOs?" and "How is the CISO role
evolving?" Most, if not all, of those who currently hold CISO
positions did not begin their careers with the ambition of becoming
the senior information security officer for a large enterprise;
rather, they came into their positions through a confluence of skills,
innovation and opportunity. In fact, until recently, only a few people
worked in this rapidly expanding discipline, so there was no career
ladder to the executive suite. However, the importance of information
security and the demand for information security professionals are
both growing - thanks to ever-increasing connectivity, the rush to
market by vendors, expanding threats and readily available hacking
tools. The 2004 Work Force Study, conducted by the International
Information Systems Security Certification Consortium, projected a
compounded annual growth rate for the information security profession,
worldwide through 2008, at almost 14 percent, while the information
technology profession's growth was projected at only 5 percent to 8
percent over the same period.
Today's CISOs have typically worked in information technology, but
they have traveled a variety of routes to their current positions.
According to the work-force study, information security professionals
are very experienced, having worked an average 13 years in IT and
seven years in information security. CISOs, however, require broader
knowledge than the typical information security practitioner and
strong management skills.
With varying years of experience in the security arena, the most
successful among my colleagues have several nontechnical traits in
common. Each can use plain English, rather than "geek-speak," to
communicate with business managers and to balance security with
The consideration of business requirements is the key factor in
evolving the security profession=92s attitude from one of risk aversion
to one of risk management. With interconnectivity, we've abandoned the
search for absolute security and perfectly safe systems as an
impossible and impractical quest. We have accepted the need for
availability and usability of information and information systems,
leading to the creation of the information assurance discipline. But
it doesn't stop there.
Just as information management is transitioning into knowledge
management, with the emphasis shifting from technical outputs to
business outcomes, so the former information security profession is
maturing from a purely technical approach to one that is
mission-focused. To succeed, the CISO must be a strategic partner with
Often under the auspices of the National Security Agency's Centers of
Academic Excellence program, many colleges and universities have
recently established information assurance curricula at the
undergraduate and graduate levels, typically in the computer science
departments. Graduates from these programs are entering the
information assurance work force and expect to spend their entire
careers in this discipline. Many will aspire to become CISOs at some
point in their professional lives. For junior- and midlevel
information security personnel, there is no well-defined CISO model
and no clear path to the CISO position. Moreover, by the time they
attain the C-level, there probably will not even be a CISO position:
It is more likely to be CRO - chief risk officer.
My final advice to those aspiring to become a CISO/CRO:
* Gain a solid foundation in IT, information security and risk
* Know pertinent laws and regulations.
* Get credentials in information security, project management, and in
chief information officer competencies or business administration.
* Learn the business of the organization for which you work.
* Hone your communication and marketing skills. Think and talk in
business terms, and master the art of making your case in one page.
Jane Scott Norris is chief information security officer of the State
InfoSec News v2.0 - Coming Soon!