No comfort zone.

Infoworld was running an article on "How great IT security leaders succeed". I said earlier that it's a question of attitude, and I find myself confirmed, time and again. But Infoworld has also this to say: "In fact, many CISOs who do have technical skills contend that the knowledge often leads to them getting tied down in too many operational decisions and projects [...]."

I have seen this time and again. I have seen security managers who single-handedly managed their company's security architecture (a great ability to have but it comes at a price). I have seen security managers who were expected by their company to guarantee the integrity of every single setting on any single computer (neat, but losing the big picture). I have seen security managers who were issuing patch advisories with an "Executive Summary" (that would contain the major technical details).

In a way, it's a very convenient situation for everybody. If the security manager focuses on techology he or she has created a niche that is far less disturbing to the rest of the company than the prospect of strengthening process or controls. A security manager who behaves as the chief technical security expert is in a reactive position. He or she will never achieve true influence.

It's vital - it is absolutely vital! - to be in a proactive position, and to be the person who asks the question, not the person who answers to them. If you feel like you'd like to jump from your seat and scream and shout now, then that's you.

Unfortunately, many of us are coming from a technology background. Once in a while we like to return to our comfort zone. Everything was simple in technology, it was logical. Problems had a solution. How convenient. Except, that leaders don't have comfort zones - it's one of the things that defines them. And when you're a security manager you need to be a leader.

• Careers
• best practices
• CISO
• management