The most successful CISOs transform their security program from a cost center to a business-enabling center, says Joyce Brocaglia.
I have been recruiting information security and controls professionals for 25 years and have witnessed the evolution of the field. Information security has grown from an obscure back office function to one of the most important enablers of competitive business activities. In recent years, the issue of information security has gained the attention of CEOs throughout corporate America. Although there is agreement for a need to appoint a senior business executive to oversee security, the exact responsibilities of the role and reporting structure vary greatly from company to company and industry to industry.
Having conducted numerous searches for chief information security officers, I often have been asked by candidates what a company looks for when hiring a CISO. I have observed that the technical requirements of the role are similar for most companies; however, the true underlying skills required to achieve their objectives are different dependant on the company's structure and the maturity of the department.
When a company begins searching for a security officer, they typically will already have a defined information security department, or they will not yet have established a separate function, but rather have individuals within the technology lines of business who have responsibility for security. These factors often play a large part in determining the basic foundations for the role. Although the technical skills required for the position remain relatively the same, the soft skills and underlying objectives have a slightly different focus.
Those companies that have an existing department, place a priority on hiring a security officer that is undeniably credible. They need for the existing staff to immediately recognize that this individual was brought in because of their seasoned capabilities and strategic vision. This person will be tasked with raising the credibility of a department that may not be well recognized or well regarded within the organization. Further, these companies will search for someone with the breadth and depth of experience to add value to an existing team, orchestrate a cohesive strategy for them to follow, and clearly be a champion for their efforts within the organization. Such companies are usually adamant about the requirement of strong hands-on management skills. Usually, these companies will not hire a candidate for whom this job would be a next step. They want someone who has been there and done that for another organization and has a proven track record of success
Companies that do not have a centralized information security department, tend to seek a CSO that will have the capability to perform an overall analysis of security and the ability to develop policies and procedures. They search for someone who can create repeatable templates that can be used for assessing technology initiatives. They tend to look for someone who will be able to develop a corporate strategy that will coordinate the efforts of the individuals tasked with information security within the lines of business and tie their initiatives and findings to a plan with measurable and reportable results. These companies are more likely to hire someone who is very hands-on and has shown a demonstrated ability in many areas of security, as opposed to a technical specialist in just one area. This situation often lends itself to someone who is ready to take on their first lead role as a security officer.
If you are ready to take the next step into a CISO role or are already a security officer looking to have an expanded role, in order to be successful in your search you must recognize the attributes that you bring to the table – and the environment that is going to benefit from them the most.
As you do this self evaluation, recognize that the single most important quality that companies are now seeking in their information security officers, regardless of the size or maturity of their group, is the ability to influence. Collaborative management skills, coupled with keen business acumen and executive presentation and communication skills, are typically sought-after skills which enable executives to be successful change agents.
If you already hold the information security officer title, in order for you to continue to gain more credibility with the businesses in which you interact, they must view you as part of the solution and not part of the problem. The most successful CISOs transform their security program from a cost center to a business-enabling center. Building relationships with key stakeholders early on in the process is paramount to achieving this goal. This means strengthening your relationships with the heads of privacy, risk, internal audit, human resources, infrastructure, development and legal.
Forward-thinking security executives use technology as a differentiator to promote customer confidence and drive revenue. Building an external network of such security leaders enables you to develop creative solutions based on others' successes, as well as benchmark your program with other world-class programs. Organizations like the ISSA and ISACA are great industry groups to participate in to get an overall sense of the marketplace. It's also important to become an active member in groups that will allow you to build trusted relationships with your peers. Organizations like Alta Associates Executive Women's Forum has over 500 of the most accomplished women in their field that gather together at a national conference, regional meetings and online community to share their challenges, successes and best practices. These types of organizations also provide training with CPE credits to maintain certifications.
There are also many groups that executives can go to for specific tools and best practices. The Shared Assessments Program is a member-supported consortium of IT outsourcers, IT service providers, assessment firms and others that work together to streamline the service provider control assessment process. The Cloud Security Alliance promotes the use of best practices for providing security assurance within cloud computing.
Find an organization that fits your needs and interests and leverage your active participation to become recognized in the industry as a thought leader while you are building your best-in-breed program.
Continuing the upward trajectory of your career requires constant evaluation. Assess if you are working at a company that values you and your role and places it high enough on the organizational chart to influence change. Determine the strength of your internal and external networks and ask yourself how you can gain more understanding of the businesses with which you interface. Finally, develop more solutions that will allow you to enable businesses while remaining secure. Ultimately, you are the CEO of your career, so take charge and increase your worth, define your brand and market the only product you have: you.
Joyce Brocaglia is president & CEO of Alta Associates, an executive recruitment firm for the information security industry.