Of what are you most proud?
I am most satisfied by the level of engagement by the senior leadership team in shaping our strategic security plan. By chartering a corporate-level security steering committee with representation from all business units, we are more intentional about elevating priority level information security issues to the C-level and then aligning our security strategy with enterprise goals and objectives.
How do you describe your job to average people?
I am both a translator and a bridge builder. As with many organizations, wide understanding gaps can separate our business leaders from our security teams, caused in part by misaligned priorities and, in part, by their respective use of specialized lexicons. My job is first to understand the business, legal/compliance, operational, financial and technical requirements that drive our security strategy. Next, I need to enable the effective flow of useful information among the various players responsible for ensuring the satisfaction of those requirements. Finally, I am responsible for guiding the design of our security solutions and assessing their effectiveness once implemented.
What do you think needs more attention from the industry?
Measurable security standards. The industry seems to obsess — especially within the health care vertical — about compliance with policy, and underemphasizes aligning processes and practices with proven, measurable standards. There are several organizations that publish helpful guidelines (NIST, ASIS, etc.). However, if the industry could agree on a set of clearly defined and widely accepted standards, it would be much easier to audit and benchmark our security programs, as well as secure funding for essential program components.
What annoys you?
Security practitioners who refuse to learn and apply the accepted rules of good business practice, insisting rather on isolating themselves with their "flat earth" mentality. By doing so, they marginalize the security profession and reinforce the destructive stereotypes that serious security professionals are striving to overcome.
What would you use a magic IT security wand for?
Derive a credible return on security investment value for each IT security-related policy, process, procedure and product that exists in the operating environment. Ideally, this protective value metric would be applied to components individually and collectively to establish a framework for predicting the impact of new components that may be introduced.
What security threats are overblown?
Airborne viruses. Sometimes, security discussions become so focused on what could happen that we lose sight of what is — or isn't — happening. Threat statistics from Cybertrust, Gartner and others simply do not corroborate the hype about the threat of mobile malware to our corporate networks.
SKILLS IN DEMAND
To do and to lead
There is a growing need for "tweeners." With the majority of U.S. IT security departments being relatively small, the demand for those who can "do" as well as "lead" is increasing.
While these "tweener" roles are challenging, they are often excellent stepping stones for career growth.
Titles vary but may include: manager of IT security, information security director and technical security architect.
Small- to mid-cap
These positions are most often found within small- to mid-cap companies with base compensation ranging from $95K to $120K.
- Source: Jeff Combs, Alta Associates