Where do C-level security careers lead to and how do you maintain them and get a seat at the table? Deb Radcliff finds out.
Predictions that the C-level security role may eventually dissolve have been circulating practically since C-level information security positions began to appear.
Now, market conditions indicate that these positions are already on the way out as security functions inevitably embed deeper into other IT/business operations.
“The elephant in the room is that some companies have pushed down the CISO role within their organizational chart,” explains Joyce Brocaglia, CEO of the executive security search firm Alta Associates. “The CISO title alone will not get you a seat at the table.”
Mike Murray, co-founder of Infosecleaders.com and co-author of a survey of 936 security professionals released in March, agrees. He adds, “The general feeling across all levels of information security professionals is that ‘we are no longer special, we are now a cost center like the rest of IT.'”
As they should, vendors and security professionals are working hard to make security more agile and efficient to meet the demands of business. Ironically, as they do so, they are further driving this process of security as a commodity or cost center within IT.
“Today, we are seeing examples of security being embedded directly into network infrastructure devices — routers, switches and load balancers included,” says Jody Brazil, president and CTO of Secure Passage, a provider of security analysis and compliance solutions. “What truly makes a device a security or network device is how it is managed, not what it is called.”
More signs of security crossover with other embedded technologies continue to emerge at the annual RSA Conference, with chip-level encryption (such as Trusted Platform Module) being big a couple of years ago, and the presence of more network management vendors (for example Ipswitch, secure FTP/network management). Even document management vendors have become security-embedded, such as Fasoo, which was there this year showing secure, end-to-end content management.
When it comes to career paths in this changing market climate, C-level professionals can generally take one of two directions, according to Brocaglia and Murray. Either they migrate to the CIO position, or they stay in C-level security roles and continue to enhance their careers as businesses technologically evolve.
The new career ladder looks more like a lattice where c-security professionals may make lateral moves to areas such as compliance or IT in order to gain diversified experience required for executive positions outside of information security, adds Brocaglia. A diversified background also helps the career CISO to better map the relationships between business operations and security.
As an example of diversification, Kim Jones, information risk manager at General Dynamics C4 Systems, moved upward to two consecutive CISO roles and then sideways to risk manager on his path toward someday being CIO of a large distributed organization.
Jones started his information security career in Army intelligence, moving into the private sector by way of consulting, and then becoming CISO at a small financial technologies company in 2003. There, he met with business unit managers and executives, took a baseline assessment of the infrastructure, and optimized that environment to improve efficiencies and reduce risk – as any C-level should.
After that company was sold, and following similar work with another small firm that was also sold, Jones then moved to General Dynamics C4 Systems as a risk manager – a move some might consider a step backward.
“I went from CISO at a small company to a secondary position at a $3 billion dollar entity in a very stable environment,” says Jones, who is on the advisory board of ISSA's CISO Executive Forum. “This role [risk manager] has more responsibility and suits my strength areas of policy framework, risk assessment, new business development, performance and operations.”
Jones, hired in early 2009, was quick to align himself with the company's CISO, who he calls a great role model in navigating the larger organization while forming critical relationships.
“We want to transform security from a block and tackle position to an enablement position,” Jones says. “For that we have to understand and accept the risks associated with certain business actions by enabling those actions with secure, cost-effective solutions.”
While some C-security professionals aspire to the CIO role, many more aspire to the CISO/CSO role. In the Infosecleaders survey, 37 percent of respondents chose CISO/CSO as their career destination. Of those respondents who were already security executives, only 10 percent chose CIO/CTO as their ultimate career aspiration.
Tim Stanley, CISO of Continental Airlines, is one of those happy to carry the title of CISO or CSO the rest of his career. Although he could have ambitions for the role of CIO, he feels security is his calling.
“I like being a security guy and feel as if this was the job I was destined to do,” says Stanley, who reports to the CIO of his organization. “The case for whether or not there is a glass ceiling and a CISO wants to do something other than security to get out from under that ceiling , that is a decision to be made on an individual level.”
At John Deere Corp., there is no such role as a CSO or CISO – something John Johnson, security program manager at the global company based in Moline, Ill., speculates is more common in older, established manufacturing companies.
In John Deere's case, security is already an embedded function, with security reporting to architecture, which reports to the IT director and the CIO. In his organization, Johnson says, this structure is effective at meeting security and operational objectives cohesively.
“Considering we're buried deep in the IT organization here, we do remarkably well in getting business consensus,” says Johnson. “We take the initiative to engage with architecture, the business and other teams, so we are involved with setting standards and evaluating new technologies, rather than being called to bolt on security after the fact.”
This goes to show that business acumen is and will remain key to maintaining executive-level careers in security, regardless of career path or direction the market takes, says Eric Green, program director for SC World Congress.
“You're all talking the same language, you just have different accents,” Green says of speaking the language of business. “Risk, cost of not addressing a problem including computer downtime, value of staying out of the media, compliance – these are concepts that will get executive attention. ‘We need budget to update our firewall or IDS and purchase a content security solution,' is not going to get their attention.”
When it comes to furthering and maintaining their own careers, C-level and upwardly mobile security professionals are doing so by reading books, attending security conferences, getting certifications and joining professional organizations and local meetings – particularly ISSA chapter meetings, according to a recent Infosecleaders survey of 936 security professionals.
As an example of business acumen being introduced through this type of networking, the upcoming Executive Women's Forum National Conference (www.ewf-usa.com) this fall, features a panel track titled “Transforming risk and security services from a cost center to a profit and revenue enabling center.”
MBAs from universities are also common among c-level career goers, according to the survey. As another example of industry evolution, the SANS Technology Institute, known for its deep-dive technology training, recently introduced a graduate degree for technical directors and security managers with business management focus.
However, when it comes to mentoring new information security professionals, Kim Jones, information risk manager at General Dynamics C4 Systems, feels adamantly that C-level security officers are not doing enough, particularly in mentoring new security professionals.
“In our organization, we are big on education and training. And even then, 30 percent of that training must be outside your area of expertise,” Jones says.
Eric Green, program director for SC World Congress, agrees. He feels that this concept of taking security education beyond IT issues should be expanded beyond small groups, and to larger peer gatherings, such as SC World Congress, and even to very large venues.
“Could you imagine if a venue as large as the RSA Conference held this whole subtrack of non-security functions? It would be operations, finance, executive teamwork and marketing tracks, instead of just security, security, security,” he says. “Security professionals on upward career paths are hungry for those kinds of relationships and real-world information. They'd flock to those classes.”