Security jobs are political - why would you want one?

Delving into the job of a chief information security officer

Who would want to be a chief security officer? OK, you’d get a high salary – particularly if you are CISSP-certified, as many salary surveys show – and you’d get the satisfaction of creating a more security-savvy organization, but you’d probably be flitting from one company to another every three years. CSO often need to make changes in an organization that may not go down well with their colleagues, creating political tension and making it unpleasant for the exec to remain at the company.

That and many other issues delving into the job of a CSO were discussed at a CSO Bootcamp being held at Interop last month, which my colleague Senior Editor Tim Greene attended. In his story “CSOs lasting longer, but still out after three years”, Tim writes that attendees to the bootcamp now often have business backgrounds, a contrast from the first generation of CSOs made up of ex-techies, who were tasked at putting out the immediate fire.

John Pironti, the chief information risk strategist for Getronics who ran the bootcamp, said that part of the politics stems from the need to influence all people in IT to make security a priority. Also, there’s the need to foster a culture of security across the whole organization. Hiring outside consultants to audit a company’s security and making recommendations could help alleviate the need for the CSO to be critical of the organization, said Pironti.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Who would want to be a chief security officer? OK, you’d get a high salary – particularly if you are CISSP-certified, as many salary surveys show – and you’d get the satisfaction of creating a more security-savvy organization, but you’d probably be flitting from one company to another every three years. CSO often need to make changes in an organization that may not go down well with their colleagues, creating political tension and making it unpleasant for the exec to remain at the company.

That and many other issues delving into the job of a CSO were discussed at a CSO Bootcamp being held at Interop last month, which my colleague Senior Editor Tim Greene attended. In his story “CSOs lasting longer, but still out after three years”, Tim writes that attendees to the bootcamp now often have business backgrounds, a contrast from the first generation of CSOs made up of ex-techies, who were tasked at putting out the immediate fire.

John Pironti, the chief information risk strategist for Getronics who ran the bootcamp, said that part of the politics stems from the need to influence all people in IT to make security a priority. Also, there’s the need to foster a culture of security across the whole organization. Hiring outside consultants to audit a company’s security and making recommendations could help alleviate the need for the CSO to be critical of the organization, said Pironti.

Tim’s story includes a full report from the boot camp, as well as a side bar on CSO tactics to influence secure network behavior.

Another story of interest is Cara Garretson’s “What it takes to be a great CISO”, reporting on a speech given by Eddie Zeitler, executive director of (ISC)2, which manages the CISSP and other security certifications. Speaking at (ISC)2’s 2007 SecureAmericas conference late last month, Zeitler said the function of information security is splitting into two, with security technology moving back to the IT department and administration of security becoming a management issue, reports Cara.

Management skills now trump technology skills for an effective CISO, said Zeitler, as accountability for IT security has shifted out of the IT department and up the corporate ladder to the CISO and even the CEO.

Technical competence is valued in CISOs, but soft skills is high up on the list of must-haves for security professionals, according to Zeitler.

In addition to Cara’s main story check out the a list of dos and don’ts of an effective CISO.

Do the pros of being a CSO weigh out the cons enough for you to consider a career as one?

Read more about infrastructure management in Network World's Infrastructure Management section.