Whither the CISO?
I’ve been wondering this for several years now, and maybe you can help me: what kind of “professional development” should a CISO have, both to stay current and to prepare for the next position?
In my own experience, you’re supposed to be a mile wide AND a mile deep in order to do your job effectively. The problem is that I have the schedule of an executive with the issues of a hands-on techie. I really envy the people that have a job that allows them to focus on one facet of security; I can’t really become an expert in anything any more, except for maybe CISO-ing.
I have to be able to take part in a design review, discuss data models, argue about virtualized switches, interpret legislation, explain the latest security exploits, manage personnel issues, negotiate contracts, and examine registry keys. I have to be able to talk about everything from LDAP schemas to data masking. This isn’t even including the business-specific issues and processes that I need to be aware of.
So what kinds of classes should I be taking? I can take generic management training (“20 ways to terminate your psycho employee without endangering yourself, others or the company’s liability”), and I can go to conferences and listen to what everyone else is doing (“we’ve discovered AWARENESS TRAINING!”), whether it helps me or not. I can read blogs until I’m crosseyed, but that doesn’t get me CPEs. As far as I know, they don’t offer courses like “Ruby on Rails for the Executive Who Used to be Hands-On Back When It Was FORTRAN on Rails.” I don’t have time to take the regular week-long courses in everything I should know at least something about; I don’t even have time to go to one-day classes.
And I’m sorry, but there are only so many times I can sit in on a vendor’s breakfast seminar on some hot new topic before I start hurling croissants (in both senses of the word). As I’ve said before, executive briefings on security are NOT the same thing as briefings for security executives. There’s only one group I know of that does the latter well.
As much as I love the people who go to Black Hat, I do not want or need to sit through 8 hours a day of people describing in great detail exactly how someone could theoretically 0wn my network. And learning how security products work is not the same as professional development.
It seems to me that there are only a few ways that CISOs can grow. One of them is to move to managing the security of a BIGGER operation. Another way is to become a consultant to other CISOs. There are a few who migrate to the CIO role, but I don’t know of anyone who’s actually done that. Assuming that I’m not going to have the chance to do any of these, how am I supposed to “develop” myself further?
Looking forward to your comments ...
Posted by shrdlu on Friday, June 19, 2009
(6) Comments • Permalink •
