CISOs move up the management ladder

The function of information security is splitting into two, with security technology implementation moving back into the IT department and the administration of information security becoming a management issue.

So says Eddie Zeitler, executive director of ISC2, an organization that issues Certified Information Systems Security Professional (CISSP) as well as a number of other security-related certifications. Zeitler gave the opening address at ISC2’s 2007 SecureAmericas conference held near Washington, D.C. recently. During his talk he cited data from an ISF/ISC2 joint study, an ISC2/IDC joint study, and observations made by the SANS Institute.

With this splintering, the role of the CISO — which he defines as the manager of information security — is changing.

“You need a solid grounding in technology to be a CISO…but to be an effective CISO, management skills now trump technology skills,” says Zeitler. “The role of the first-line security manager is moving back into IT…which is where it should be. But the oversight, policy making, [establishing] corporate programs, that’s moved more into management.”

Along with the new emphasis, however, is a shifting of accountability for IT security out of the IT department and up the corporate ladder to the CISO and even the CEO, he says.

Zeitler said CISOs who recognize that technology is the enabler of security, but not the solution, will prosper as the CISO’s management skills become more important than technical chops.

Other factors of CISO success include documenting risk-reduction accomplishments, helping to effectively merge security and operations groups, and reinforcing security as a valued service to the company. Technical understanding and competence are also important, but perhaps not as much as it used to be.

“Technical people — the really good ones, typically — don’t have people skills, and that’s what all these interfaces require between business units and the technicians doing the job,” he continues. The CISSP program has a management concentration, but Zeitler also recommends taking financial and management courses outside of the program.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now