Who's In Charge Click to enlarge in another window
Focus on Risk Management What is consistent is the evolution of IT security toward risk management. In parallel with growing regulatory compliance, surging data volumes and the more complex technologies designed to manage them, security is focusing more on overseeing information and how it's managed, Carey says. IT security executives have to understand the risks organizations face, and that requires the broader, business-focused expertise that the executive level understands. Brooke Paul, CISO of Cincinnati-based American Financial Group, has seen his job shift from conventional security responsibilities to a risk-management role. He was elevated to the CISO role five years ago, after four months with the company as vice president of information security. "Auditors and regulators were asking for our chief security person," Paul says, and business-side executives "wanted someone they could hold accountable for it." Paul's responsibilities include direct operational security less than they involve program management, security policies creation and compliance, he says. He doesn't have the power to declare policies, however. Instead, he works with a committee of business leaders who decide security policy together, he says. American Financial has no CSO. Paul agrees that the CISO role varies by industry. He says CISOs are particularly prominent in publicly traded companies and financial services firms; the $3.9 billion American Financial fits into both categories. So where do CISOs and CSOs come from? The simple answer is that they can come from anywhere within the IT security ranks, Schmidt says. Security professionals who formerly focused on firewalls, antivirus efforts, IT controls or other areas have all moved into CISO and CSO roles in the past five years, he says. The ones who get tapped typically are those with the best interpersonal skills. The ones who succeed are those who run security as a business unit, rather than as strictly a security discipline. That means bringing demonstrable value to the overall company by, for example, explaining to business units how to undertake revenue-generating efforts while addressing security concerns. "Ever since probably 1995, we've seen the security executive become sort of a hybrid between the technologist and business side. Now we see business units seek out security executives to help them make business decisions," Schmidt says. A major challenge for new CISOs and CSOs is to address the frequent conflicts of interest between business units and security. The business side often sees security's priorities as a roadblock to innovation and being first to market, Schmidt says. Fred Cohen agrees. The principal analyst for security and risk management strategies at the Burton Group in Salt Lake City, Cohen says CISOs and CSOs often work at odds with the CFO and CIO. CIOs might have a goal of cutting costs, for example, which could lead them to overconsolidate IT and eliminate infrastructure redundancy that's critical to business continuity or disaster recovery. Similarly, a CFO might want to move money offshore overnight to gain foreign market interest. Although such moves may be good for revenue levels, they can also be fraught with risk-management perils. As a result, high-level security executives ideally shouldn't work directly beneath the CFO or CIO. Cohen suggests putting CISOs on the organizational flowchart in a "side box" on the level occupied by the CEO or board of directors. To do their jobs effectively, CISOs and CSOs need to develop strong communication skills. Rolf Moulton, president and CEO of (ISC)2, the IT security certification group, says the ability to communicate effectively and diplomatically with the business side is important not only for business, but also for enhancing one's own career. IT security executives must be able to "institutionalize" security concepts and convince others that those concepts have business value. IT security executives need to know how to align security with strategy. And they have to speak the language of the MBA holders in the boardroom. National Financial Group's Paul says IT security leaders are gaining influence and carving out their niche by removing a certain level of audit-related and regulatory stress from business leaders, who may be personally liable if something goes wrong. "The value I bring in my position is, to a certain degree, about making the board of directors and the CEO and CFO comfortable with their situation, because they know they have an expert. These people must sign off on this or that, and if it comes back as a negative thing, it could have a huge impact on the company," Paul says. There's an educational aspect to the CISO role as well. The managerial types who are beholden to regulations usually don't understand compliance as well as the security chief does. "Businesspeople don't always see the value in all these regulations they've got to follow," Paul says. "So you can lessen their pain by helping them make their way through the maze of what they're dealing with and help them understand what to expect with auditors."
Finding Your Own Way The average 45-year-old CISO making $200,000 a year often has no idea where his or her career will head next, Moulton says. He anticipates that some CISOs and CSOs won't be able to break the IT mold. So he expects heads of security to evolve in two directions. One group will shift more into the business side, focusing on information assurance and risk management. The other group, comprising those without the requisite communication and business skills, will slide into a more purely technical role. Tammy Clark, CISO of Atlanta's Georgia State University, is a prime example of an IT executive whose role has evolved quickly and is increasingly moving toward risk management. She's also an example of a security pro who got where she did without real guidance from the organization's leaders. In short, like many CISOs and CSOs, she has designed her own career path. Clark, who holds multiple nominations and awards from the IT security-focused Executive Alliance, started in IT more than 20 years ago with the U.S. Air Force. She moved into the private sector when her base closed, and she found herself adjusting to the more open-ended, less-regulated world of business IT. She bounced from the security vendor side back to government and then landed at Georgia State University in 2002. An audit there showed 32 IT security deficiencies, and management sent the newly hired Clark, who served as the school's sole IT security expert, to answer to the auditors. "I was kind of put on the hot seat right away," Clark says. Georgia State named Clark its first-ever CISO. She has figured out work-arounds to help overcome funding barriers--for example, writing white papers that show why particular security deployments are "must-haves" or negotiating with university committees to allot a portion of student fees to security. As 2006 unfolds, she is focusing on risk assessment and management. She's establishing policies that, for example, prescribe that new deployments have to be vetted in a risk-assessment overview. One problem almost all CISOs and CSOs face is that they can provide input to, and negotiate with, the business side, but they lack sufficient direct power at the top. A CISO can influence the CEO, for instance, but can't single-handedly pull the trigger on a new rule and establish it for the entire company. That word "influence" is key to the IT security executive's role, says Burton Group's Cohen. Security leaders have to learn to create change by indirect influence. A CISO might get technical advice from a vice president of information security, for example. When the VP points out a new vulnerability that threatens several separate business facilities, the CISO likely won't be able to mandate a security deployment to fix the problem. Rather than going to battle in the boardroom for funding clearance, the CISO might take easier, less-expensive steps to ensure that a problem, such as a virus, that starts in one facility can't spread like the plague over the entire company network. At the same time, the CISO will make his or her desire for a full fix known to the business side.
Taking a Project Management Approach Modern IT security management is often about project management, says the security chief at a large specialty retailer who asked that her company not be identified. If encryption work is needed, for instance, security might act as the project manager, working with business managers who know their own applications best. Increasingly, IT specialists from outside the company will come in to handle tasks, and in-house security executives will oversee their work. An IT security certification imbues credibility and valuable knowledge on a project manager, the retail executive says. Her company now seeks certifications when it makes new hires. "It's more important than it's ever been," she says, noting that she looks for CISSPs (Certified Information Systems Security Professionals) when she has an opening to fill. Certifications and higher education are gaining importance for IT security pros at all levels. A 2005 IDC global study found that companies are placing increased emphasis on security certifications as differentiators during the hiring process. More than 60 percent of the 4,300 IS pros surveyed said they plan to acquire at least one more certification over the next 12 months. The portion of IT security workers in the Americas who hold a master's degree rose to 34 percent from 28 percent in just a year's time. In Europe, the Middle East and Africa, the number of master's degree holders spiked to 42 percent from 32 percent in that time. But despite higher levels of training, observers say, it's inappropriate to think of CISOs or CSOs as being on the same level as other, more conventional C-level executives. The security executives' role is "cross-cutting," says Burton Group's Cohen--similar to the status held by human resources leadership. They have input on the same level as CEOs and CFOs, but they don't deal with the same level of decisions. "I don't buy into the notion that they should be at the same table as the CEO or CFO," Cohen says. "There are lots of things that CEOs and CFOs do that have nothing to do with the CISO function. The problem, though, is that you can't place the CISO lower in the structure." IT security leadership structures have, indeed, become elaborate. The Harris County Hospital District in Houston has several new security leadership roles that were mandated by HIPAA, says CIO Tim Tindle. A CSO, now on the job for about 18 months, reports to Tindle. The CSO enforces security and regulatory requirements, and provides an audit function for data protection and IT security generally. Harris County also has a privacy officer, reporting to the COO, who ensures that health information isn't disseminated in any way other than how patients intend. Tindle affirms others' statements that finding skilled personnel is becoming more difficult. Harris County spends about $600,000 to $700,000 annually on IT security staff, roughly double what it spent five years ago. The sophistication and expense of the organization's technology have increased as well, and Tindle has worked hard to find ways to save money. For example, Harris County outsourced its intrusion-detection needs to vendor Alertlogic rather than manage it in-house. Tindle estimates that move has saved the organization up to $900,000 per year. As for how IT security roles may evolve, Tindle says the tasks and responsibilities assigned to specific jobs remain fluid. But he sees things firming up in the coming years as IT security establishes the best routes for navigating regulatory demands, such as those mandated by HIPAA. "I think over the next five years, the pace of change is actually going to slow down," Tindle says. "The scope and breadth of what we manage, and how we manage it, is eventually going to solidify." Ted Kemp is a freelance business and technology writer in New York. Write to him at email@example.com.