It's no surprise that in today's technology-driven business environment, information protection and the role of computer security professionals has taken center stage. Protecting your technology and information has become a monumental task, from blocking hackers to tracking down cyber-thieves.
And the problem is growing. The CERT Coordination Center at Carnegie Mellon University tracked around 137,000 internet security incidents in 2003, nearly twice as many as in 2002. No wonder the amount of money spent this year on computer security is expected to reach an all-time high of $13.5 billion (twice the total in 2000), according to market researcher Forrester Research Inc. By 2006, it could reach $20 billion.
Spam, a basic form of intrusion, can cost a 10,000-employee company without effective anti-spam technology about $1.1 million this year in decreased productivity, helpdesk costs, and use of IT resources. That's just to ward off the millions of (mostly) harmless e-mails sent hawking useless services and products to unwitting employees.
As security becomes more critical to the bottom line, the job of information security professionals continues to evolve, taking on an urgent importance in the highest echelons of the organization. Corporations have always had legal and business reasons to secure the physical infrastructure of a corporate IT system, but now there is also the responsibility of adhering to privacy regulations, producing a legal obligation to secure online information.
Have the security professionals entrusted in doing this critical job matured with the growing importance of the job itself? Generally, the answer is no. The world's smartest security professionals – regardless of their titles – will be locked out of the executive suite every time if they cannot develop a keener business acumen and focus on the basics to generate profit for the company.
True, the CISO must envision a vertical security infrastructure that includes all aspects of corporate networks, hardware, software, applications and data. But just as important is being able to communicate this vision, which requires understanding business fundamentals. Learning how your company makes money and operates as a whole is as essential to your career as knowing about the latest in WiFi defense tools.
In his book What the CEO Wants You To Know: How Your Company Really Works, Ram Charan warns aspiring professionals about building a career in a silo – that is, focusing on just one area of the company such as sales or production. Such career tracks, he writes, tend to narrow your perspective and influence your daily decisions. The danger of this approach is that what might be best for your department might not be best for the company as a whole, which is why overall business acumen is critical.
For CISOs to effectively work with the executive team, they must understand business fundamentals; have expert communication, negotiation and leadership skills; and technical knowledge of information technology and security hardware. In a recent Fortune magazine article, Motorola's CISO Bill Boni perfectly described the security executive's job, stating: "Understand the business, understand what makes it successful, identify the factors that can put that success at risk, and then find ways of managing that risk through technical, operational or procedural safeguards."
How, then, will the new generation of corporate CISOs find a seat at the management-team table? First, they must work to dispel some of the long-held (and often true) stereotypes for information security professionals. For instance, that we have limited business knowledge, are often an impediment to business progress, and are unyielding in technology decisions.
As sophisticated as we have become, we have work to do before sitting beside top managers. Still, the opportunity is there. Recent research by the Yankee Group noted that while high-ranking executives are increasingly burdened with strategic and tactical decisions to maximize shareholder value, many of these responsibilities conflict with the enterprise's security requirements. The research concluded that while security should be a concern for CEOs, it never becomes a priority until it becomes a differentiator for the business. The job of the new CISO is to communicate how security is already a differentiator on every level, from finance and HR to corporate identity and reputation.
To become a trusted security advisor, a CISO must be empowered by the full confidence of the CEO. To gain that confidence, you must broaden your knowledge of business fundamentals by obtaining professional certifications and management experience; understanding and supporting all levels and departments within your business; becoming reputable as an advocate of business processes; and supporting and driving business decisions. With these improvements, the next generation of CISOs should – and must – be sitting beside the highest management executives.