« Someone is sneaking it in | Main | Did I ever tell you the joke about the 12 pound gorilla dressed as a missionary? »

November 23, 2009

Seizing management power, is not keeping it

This past weekend I received my hard copy of the 20th anniversary issue of SC Magazine.  Hate it or love it, 20 years covering information security is a statement.  Congrats to Ilena and the rest of the team there! One article by Dan Kaplan caught my eye (BTW, I had no idea that Dan checks my blog for ideas, as Joe Franscella says). “Seizing Management Power” chronicles the evolution of the CISO position “from introverted techie into slick businessperson”. Dan looks at Howard Schmidt’s career from police officer and Ham radio enthusiast to security pro today. He also looks at several other prominent people who have held the CISO position at large corporations.  Interesting in that each of these people came in and set up security programs and then moved on.

Today’s CISO’s are as likely to have an MBA as they are a CISSP says Kaplan.  I agree with Dan, they are as likely. But just as the mission has evolved from techie to business speak, the scope has also been narrowly defined. It is an architectural position, not a long term place at the table. As the article points out, the CISO needs to be proficient in “people, processes and technology”.

Ultimately though Kaplan states that “going forward, though, as the CISO position assures its foothold in the corporate boardroom, some observers wonder if the function has an infinite lifespan”. My theory is not an infinite lifespan in terms of function. There will always be the need to come in and set up or reshape a security program.  But once that is done, what is next? How long does the CFO and CEO want to keep paying big bucks for the architect? The CISO comes in with a mandate and and power, but can they keep it? That is the hole in the bottom of the CISO bucket.

I think the CISO’s architect role can be accomplished with a proven methodology, in a given time frame and within an agreed upon a budget and then handed off to a caretaker and not the architect. CISO’s are too highly compensated to be expensive cheerleaders. At the end of the day that is why I think CISO is a great place for a consultant.

Posted at 10:12 AM in CISO, General Security, SC Magazine, Security Consulting |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83451e4d369e20120a6c8969e970b

Listed below are links to weblogs that reference Seizing management power, is not keeping it:

Comments

My Photo

Subscribe to my blog

Enter your email address:

Delivered by FeedBurner

Lijit Search

Blog Networks

Creative Commons License
This work is licensed under a Creative Commons Attribution-Share Alike 2.5 License.

Search

Lijit Search

Attend a Computer Forensics Boot Camp to better your skills and become a better worker

Categories

Track my blog stats

Blog powered by TypePad
Member since 10/2005

About