The CISO Mystique

by dicenews Nov 17, 2010 2 min read

Your company probably has a CEO and perhaps a CIO or CTO. But does it have a CSO? And does it have a CISO? While Chief Security Officers are nothing new, it's only in the past few years that the Chief Information Security Officer title has come into its own. As Network World finds in interviews with several of them, it's a unique position full of challenges.

It used to be that CSOs were over-glorified security administrators, babysitting the firewalls, arguing with software vendors over botched anti-virus signature updates and cleaning spyware off of infected laptops. True, that's still the role some CSOs find themselves in, but for the majority the responsibility has shifted to looking at the big picture and designing programs that balance acceptable risks against the unacceptable. In an ideal world, today's CISO hires someone else to handle all those technical tasks. Of course, the question is whether you can inspire them to do what you once had to do, or if you'll turn them off with an attitude of superiority. Says one CISO:

Security is growing in scope to cover things like business continuity, disaster recovery, information security (as opposed to IT security, focused very narrowly on technology controls within the scope of the IT organization), compliance training and awareness, and so forth. So, things that security practitioners long said were part of security, our organizations are now looking for us to accomplish also. Essentially, the CSO/CISO has become a permanent part of the group sitting at the table deciding how the company does business.

Says another:

The job today is mostly about knowing how to prioritize. This boils down to understanding your business' risks and applying risk mitigation with the right recipe of people, processes and technology. Your C(I)SO program portfolio should be a mixture of tried, true, and stable investments, with a touch of cutting-edge technology where your gut tells you the vendor is on the right track."

How is responsibility for IT security divvied up in your company, and is it a career track you're interested in? It should be. As recruiters keep saying, security is always one of the hottest in-demand specialties. -- Don Willmott

Security is growing in scope to cover things like business continuity, disaster recovery, information security (as opposed to IT security, focused very narrowly on technology controls within the scope of the IT organization), compliance training and awareness, and so forth. So, things that security practitioners long said were part of security, our organizations are now looking for us to accomplish also. Essentially, the CSO/CISO has become a permanent part of the group sitting at the table deciding how the company does business.

Says another:

The job today is mostly about knowing how to prioritize. This boils down to understanding your business' risks and applying risk mitigation with the right recipe of people, processes and technology. Your C(I)SO program portfolio should be a mixture of tried, true, and stable investments, with a touch of cutting-edge technology where your gut tells you the vendor is on the right track."

The CISO Mystique

The CISO Mystique

Dice Staff