The CISO Mystique

Your company probably has a CEO and perhaps a CIO or CTO. But does it have a CSO? And does it have a CISO? While Chief Security Officers are nothing new, it’s only in the past few years that the Chief Information Security Officer title has come into its own. As Network World finds in interviews with several of them, it’s a unique position full of challenges.

It used to be that CSOs were over-glorified security administrators, babysitting the firewalls, arguing with software vendors over botched anti-virus signature updates and cleaning spyware off of infected laptops. True, that’s still the role some CSOs find themselves in, but for the majority the responsibility has shifted to looking at the big picture and designing programs that balance acceptable risks against the unacceptable.

In an ideal world, today’s CISO hires someone else to handle all those technical tasks. Of course, the question is whether you can inspire them to do what you once had to do, or if you’ll turn them off with an attitude of superiority.

Says one CISO:

Security is growing in scope to cover things like business continuity, disaster recovery, information security (as opposed to IT security, focused very narrowly on technology controls within the scope of the IT organization), compliance training and awareness, and so forth. So, things that security practitioners long said were part of security, our organizations are now looking for us to accomplish also. Essentially, the CSO/CISO has become a permanent part of the group sitting at the table deciding how the company does business.

Says another:

The job today is mostly about knowing how to prioritize. This boils down to understanding your business’ risks and applying risk mitigation with the right recipe of people, processes and technology. Your C(I)SO program portfolio should be a mixture of tried, true, and stable investments, with a touch of cutting-edge technology where your gut tells you the vendor is on the right track.”

How is responsibility for IT security divvied up in your company, and is it a career track you’re interested in? It should be. As recruiters keep saying, security is always one of the hottest in-demand specialties.

— Don Willmott

2 Responses to “The CISO Mystique”

  1. By Von’Victor Valentino Rosenchild

    CISO’s are needed more than ever in the 21st Century do to the dynamics of Intrusion Detection and Prevention, Next Generation Firewalls (NGFW), the added security that is needed in Cloud Computing / On-Demand services that takes the security perimeter beyond the boundaries of the
    enterprise LAN/WAN/Wi-Fi Network.

    As we are about to enter 2011, I see an increase need for CISO’s not only in enterprise and government, but also in SMBs. More and more SMBs are adopting Cloud Services, from such companies as Salesforce, Amazon Web Services, Google (Google Apps), Microsoft (Windows Azure, Dynamics, etc…), IBM, Linux Red Hat, Oracle (On-Demand), etc.., and with the adoption of the Cloud/On-Demand services there are increasing risk.