Layer 8

Security is fundamentally about people, and everything we know about people is relevant to security. -- B. Schneier

Whither the CISO?

I’ve been wondering this for several years now, and maybe you can help me:  what kind of “professional development” should a CISO have, both to stay current and to prepare for the next position?

In my own experience, you’re supposed to be a mile wide AND a mile deep in order to do your job effectively.  The problem is that I have the schedule of an executive with the issues of a hands-on techie.  I really envy the people that have a job that allows them to focus on one facet of security; I can’t really become an expert in anything any more, except for maybe CISO-ing.

I have to be able to take part in a design review, discuss data models, argue about virtualized switches, interpret legislation, explain the latest security exploits, manage personnel issues, negotiate contracts, and examine registry keys.  I have to be able to talk about everything from LDAP schemas to data masking.  This isn’t even including the business-specific issues and processes that I need to be aware of.

So what kinds of classes should I be taking?  I can take generic management training (“20 ways to terminate your psycho employee without endangering yourself, others or the company’s liability”), and I can go to conferences and listen to what everyone else is doing (“we’ve discovered AWARENESS TRAINING!”), whether it helps me or not.  I can read blogs until I’m crosseyed, but that doesn’t get me CPEs.  As far as I know, they don’t offer courses like “Ruby on Rails for the Executive Who Used to be Hands-On Back When It Was FORTRAN on Rails.”  I don’t have time to take the regular week-long courses in everything I should know at least something about; I don’t even have time to go to one-day classes.

And I’m sorry, but there are only so many times I can sit in on a vendor’s breakfast seminar on some hot new topic before I start hurling croissants (in both senses of the word).  As I’ve said before, executive briefings on security are NOT the same thing as briefings for security executives.  There’s only one group I know of that does the latter well.

As much as I love the people who go to Black Hat, I do not want or need to sit through 8 hours a day of people describing in great detail exactly how someone could theoretically 0wn my network.  And learning how security products work is not the same as professional development.

It seems to me that there are only a few ways that CISOs can grow.  One of them is to move to managing the security of a BIGGER operation.  Another way is to become a consultant to other CISOs.  There are a few who migrate to the CIO role, but I don’t know of anyone who’s actually done that.  Assuming that I’m not going to have the chance to do any of these, how am I supposed to “develop” myself further?

Looking forward to your comments ...

 

 

Posted by shrdlu on Friday, June 19, 2009
(6) CommentsPermalink blogmarks Favicon del.icio.us Favicon Digg Favicon Fark Favicon Furl Favicon Google Bookmarks Favicon StumbleUpon Favicon Technorati Favicon TailRank Favicon

Next entry: BSOFH: All's fair in security and war.

Previous entry: Two's a company, three's a cloud.

Comments

.(JavaScript must be enabled to view this email address) United States on 06/19  at  09:06 AM:

I’m definitely sympathetic. Been exactly where you are. Source Boston is a great conference for folks like us as are the BH Executive Briefings if you can snag an invite. Classwise though, I’d love to go through one of those Executive MBA courses and get a much deeper dive into business issues.

dunsany United States on 06/19  at  03:33 PM:

I am feel like I’m a similar predicament, although I suspect I’m a little closer to the metal than you are - mostly because of the size of my organization vs yours.  But I do feel the squeeze of not having any place to gain knowledge.  One way I earn my CPEs is teaching and lecturing - which forces me to focus my thoughts temporarily on a particular facet and the audience/student feedback often teaches me something as well.

As for pure classes or seminars, I love the legal stuff.  I wish there was a Cyberlaw for CISOs class or decent book out there. I do have a lot of lawyer and lawyer-like friends, so I’m constantly egging them on for ideas.

Derek Slater United States on 06/21  at  08:51 PM:

2 cents’ worth, or less: I see people using Brand Protection, Intellectual Property or Enterprise Risk Management initiatives as an opportunity to start expanding your knowledge of fraud, law, physical security and other related categories.

Also, an extra half-penny: http://www.csoonline.com/article/494878  My thoughts on a key direction in which the security discipline will grow over the next half-decade.

shrdlu United States on 06/21  at  09:18 PM:

Thanks, Derek.  Absolutely, I agree with you—if you can turn the data you collect into intelligence in a way that can benefit the business at large, that’s the best possible outcome.  Tracking data flows to help define business processes, tracking interactions with partners, measuring customer volume, and so on.

.(JavaScript must be enabled to view this email address) United States on 06/22  at  12:10 PM:

Study up on Kung-Fu and “The Art of War”. Everyone in security needs to have that behind them grin

In all seriousness, you do have the unique ability to cover security topics with intellect, creativity and humor in a meaningful way. Teaching, speaking engagements or book writing would probably be useful as you do learn from teaching as dunsany mentioned. Unfortunately teaching and book writing can take a great deal of time.

Then again, you can always take some classes on law, statistics or some kind of scientific or business analysis disciplines. Think of how you would tie them into your existing role and your business from your own slant. Some higher education programs may have something you are looking for.

Btw, if you write a book, I want to know about it. It would be a great add to my collection.

niranjan India on 06/24  at  01:48 AM:

This is a very crucial and persistent issue you have brought up.

Being an infosec manager myself, I too have faced (still facing!) similar problem.
I have always struggled between being a security generalist and security specialist. I have been consulted (demanded!) many times on topics ranging from securing a particular web app component to legal aspects of data privacy on a particular cloud environment to suggest best method of configuring a Microsoft group policy. I believe the idea of a mile deep and a mile wide will make the person impossible to hold on his knowledge and delivery what is actually required; of course one cannot be both master and jack of all.

In my opinion, the industry is still groping on what to expect from a CISO. Expectations from a CISO are normally different from other CXOs. It is this lack of clear expectations and demand from all nook and corner that makes the problem worse.

Page 1 of 1 pages

Add a comment

Name:

Email:

Location:

URL:

Smileys

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below: