There is a growing need for deep business knowledge to be joined to the art of information security. It is time to formalise the transition from technical to executive management.
The field of information security was established by people with a deep understanding of technology, who recognised the need to figure out how to secure it. With time, they realised security had to be more: there were management problems to address; risks to assess; business processes and aims to understand. The growing emphasis on risk management has brought the need for deep business knowledge into the art of information security. It has not done away with the need for technical skills: so businesses must find a way for security staff to progress into senior management.
If the ability to understand technology is fundamental in business today, then technical managers are well placed. Without good technical underpinnings, generalist managers can struggle to earn the respect from the security and IT teams they are reliant upon. Technical specialists are potentially best placed to move into security management – so long as they have the right personal skills.
Gaining these CISO-level executive skills is a challenge. Unlike their business-line C-level colleagues, security managers must maintain the currency of their professional knowledge, while developing leadership skills.
Executive competency is deeply rooted in soft skills: an understanding of business relevance; and the ability to influence people, lead teams and manage change.
There are few options for developing these skills. Those working in large companies may have a general executive development programme. Those who do not are seeking help elsewhere, with growing demand for executive development and mentoring. The Institute of Information Security Professionals brokers mentoring relationships. Such schemes work best when a company sanctions the effort of all involved, and formalises a programme. The time, structure, and assessment required are often too much for informal mentoring plans.
Companies have to do more than just create security leadership roles. They need to plan succession and to develop the next level of security manager. They can structure this internally, or use outside services with formalised coaching offerings and/or work co-operatively with other firms. The first step is to recognise that doing nothing is no longer an option.
Paul Dorey is chair of the Institute of Information Security Professionals and co-founder, Security Faculty