Most of you reading this are security practitioners, and I can safely assume that each of you has discussed this topic at conferences and airports for years: Is our role a thankless one, and one doomed for failure?
A recent article in the New York Times on July 20, 20141 provided an objective look at the role of the CISO, and provided a peek into our world for the general public. I had many friends forward it to me with comments as diverse as “is that what your job is like?” to “I didn’t know you made that much money!” Let’s forget about the salary talk for this venue, and ask ourselves, how accurate did the article portray the role of the CISO in 2014?
It begins with “pity the poor information security officer,” moves towards how critical the role is to enterprise at this time, and then ends with an anecdote of losing your job (after a third breach, mind you). What a roller coaster ride! That, in essence describes what the day-to-day role of the CISO is like, with all of its daily unknowns, and the highs and lows of providing security for an enterprise.
The article also talks of the need to be skilled in crises management and communications. That certainly is true, as we all will experience this at some point.
But think of how these skills impact us in our normal operating mission! Highly tuned communications are key to engaging the community at all levels, and the ability to manage and lead during any period of stress is something that gets noticed.
Both of these can make the CISO stand out in a crowd. You may recall that in years past the security team was one to be avoided, but now the skills are necessary and marketable, and the CISO is one to be turned to when leadership, decisiveness and action is required.
The article has the elements of doom and gloom as it recounts breaches that led to the release of the CISO. With words like pity, thankless, sacrificed and angst, and some of the CISO’s answering a study that it was “the worst job they ever had,” I fear that the article will be an alarm for talented people that aspire to the CISO role as a career.
I’d answer to the contrary. Like any role that has enterprise responsibility, there is stress and the need to perform at a high level. While this may be a daily occurrence, it is an opportunity to provide value to the entire organization. So while I’m thankful for the recognition that the article has brought, I don’t find the role of CISO one to pity. I find it fulfilling, and one that I counsel young professionals to aspire to. I hope that you do as well.
=======================================
1 A Tough Corporate Job Asks One Question: Can You Hack It? http://www.nytimes.com/2014/07/21/business/a-tough-corporate-job-asks-one-question-can-you-hack-it.html?_r=0