The CISO: A Top Cop for Corporate IT
By Sue Hildreth | June 2008 Many mid-sized and large companies are creating a C-level position to oversee the complex and potentially costly legal, technical and business issues involved in maintaining IT security. The need for these Chief Information Security Officers, as they're called, "has grown 100-fold in the past five years," says Harold Thornton, senior IT security recruiter for Bradsby Group, a Denver-based recruiting firm. "Companies have to look at improving their information security from the standpoint of compliance, as well as from a strategic perspective, and do it within budgetary guidelines. So it becomes imperative to have someone like a CISO." CISOs may report to the CIO, the CEO or the chief risk officer, but their job is to understand IT security issues and technologies and weigh the risks involved in technology decisions. They're in demand particularly at very large companies, firms in highly security-conscious industries, and organizations that must meet stringent government or industry security regulations. Security is a particular concern in companies governed by regulations with teeth, such as Sarbanes-Oxley or the Payment Card Industry Data Security Standard, the credit card industry's attempt to govern itself, says Jeff Ahlerich, CTO for Looking Glass Systems, a Boulder, Colo., company that provides security and compliance consulting. "If your company has a computer breach that results in millions of credit card numbers being released into the wild, Visa is going to come down pretty hard on you."
A Breadth of Knowledge Craig Shumard, the CISO for insurance giant Cigna, says the job requires not only knowledge of IT security, but also an understanding of risk management and basic corporate operating controls and audit procedures. It involves not only deciding on security products and processes, but making decisions about whether, and how, new technologies can be safely implemented. That often requires collaboration with other business departments to understand how their needs with a specific technology, such as a wiki or a Blackberry, might impact corporate security. "We have a lot of business interactions in which people want to share information, often through Web 2.0 technologies or on removable media, and that type of collaboration is a critical element in our business," explains Shumard. "It also impacts security. So I work with people to understand their goals, look at the technologies, and understand how we can leverage them from a business standpoint, yet not put our intellectual property at risk." Shumard started out as an underwriter for Cigna in the late 1980s, just as the personal computer was gaining traction as a business tool and the movement to client-server computing was beginning. He moved into IT after getting involved in Cigna's early PC and LAN efforts, and later worked in application and network development. "My group probably had the first three PCs purchased by Cigna, and we were all happy when they did spreadsheet stuff," he remembers.
Credentials Required Today, most CISOs come from IT security and acquire their business, regulatory and risk management knowledge through experience and professional development efforts. In some cases, that means getting a second bachelor's degree, in business, or even an MBA. It almost always means earning two or more of the IT security certifications that are available, according to Thornton. Most CISOs will have several security certifications, such as the Certified Information Security Manager (CISM) is administered by the Information Systems Audit and Control Association (ISACA), or the Systems Security Certified Professional (SSCP) and the Certified Information Systems Security Professional (CISSP), both administered by the International Information Systems Security Certification Consortium (ISC)2. The CISSP certification covers ten "domains" of knowledge, including access controls, application security, disaster recovery planning, risk management, regulations and compliance and security architectures. A candidate must have at least five years of professional experience in information security, or an undergraduate or master's degree in information security. Of course, the goal of the degrees and certifications is not to have a lot of sheepskin to hang on the wall, but to build up a depth and breadth of knowledge in business, IT and security trends and best practices. The end result should be an executive who can think strategically as well as practically about how technology impacts business - the risks as well as the rewards - and can weigh the complex range of issues when deciding how to implement a new technology or security practice. That requires experience and an ability to accept the fact that there are no black and white answers to some problems. "There's never a 'right' answer," says Shumard. "There are lots of different answers, and different mitigating controls that you can put into place. Being able to understand the depth and breadth of what you have in your toolbelt, and how that can enable the business, as well as how it impacts it - that breadth of understanding is critical." Sue Hildreth is an IT writer based in Waltham, Mass.