What it takes to be a great CISO

'To be an effective CISO, management skills now trump technology skills,’ expert says

The function of information security is splitting into two, with security technology implementation moving back into the IT department and the administration of information security becoming a management issue.

So says Eddie Zeitler, executive director of ISC2, an organization that issues Certified Information Systems Security Professional (CISSP) as well as a number of other security-related certifications. Zeitler gave the opening address at ISC2’s 2007 SecureAmericas conference being held near Washington, D.C., this week. During his talk he cited data from an ISF/ISC2 joint study, an ISC2/IDC joint study, and observations made by the SANS Institute.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

The function of information security is splitting into two, with security technology implementation moving back into the IT department and the administration of information security becoming a management issue.

So says Eddie Zeitler, executive director of ISC2, an organization that issues Certified Information Systems Security Professional (CISSP) as well as a number of other security-related certifications. Zeitler gave the opening address at ISC2’s 2007 SecureAmericas conference being held near Washington, D.C., this week. During his talk he cited data from an ISF/ISC2 joint study, an ISC2/IDC joint study, and observations made by the SANS Institute.

The do’s and don’ts of an effective CISO

With this splintering, the role of the CISO – which he defines as the manager of information security – is changing.

“You need a solid grounding in technology to be a CISO … but to be an effective CISO, management skills now trump technology skills,” says Zeitler. “The role of the first-line security manager is moving back into IT … which is where it should be. But the oversight, policy making, [establishing] corporate programs, that’s moved more into management.”

Along with the new emphasis, however, is a shifting of accountability for IT security out of the IT department and up the corporate ladder to the CISO and even the CEO, he says.

Zeitler, who held a number of executive security positions at organizations including Charles Schwab before joining ISC2 last year, said CISOs who recognize that technology is the enabler of security, but not the solution, will prosper as the CISO’s management skills become more important than technical chops.