The function of information security is splitting into two, with security technology implementation moving back into the IT department and the administration of information security becoming a management issue.
So says Eddie Zeitler, executive director of ISC2, an organization that issues Certified Information Systems Security Professional (CISSP) as well as a number of other security-related certifications. Zeitler gave the opening address at ISC2’s 2007 SecureAmericas conference held near Washington, D.C. recently. During his talk he cited data from an ISF/ISC2 joint study, an ISC2/IDC joint study, and observations made by the SANS Institute.
With this splintering, the role of the CISO — which he defines as the manager of information security — is changing.
“You need a solid grounding in technology to be a CISO…but to be an effective CISO, management skills now trump technology skills,” says Zeitler. “The role of the first-line security manager is moving back into IT…which is where it should be. But the oversight, policy making, [establishing] corporate programs, that’s moved more into management.”
Along with the new emphasis, however, is a shifting of accountability for IT security out of the IT department and up the corporate ladder to the CISO and even the CEO, he says.
Zeitler said CISOs who recognize that technology is the enabler of security, but not the solution, will prosper as the CISO’s management skills become more important than technical chops.
Other factors of CISO success include documenting risk-reduction accomplishments, helping to effectively merge security and operations groups, and reinforcing security as a valued service to the company. Technical understanding and competence are also important, but perhaps not as much as it used to be.
“Technical people — the really good ones, typically — don’t have people skills, and that’s what all these interfaces require between business units and the technicians doing the job,” he continues. The CISSP program has a management concentration, but Zeitler also recommends taking financial and management courses outside of the program.