Security professionals must know the business to rise through the ranks

Chief information security officers and the important work they do increasingly are being recognized in the C suite. Results from the second annual Global Information Security Workforce Study, conducted by global analyst firm IDC and sponsored by the International Information Systems Security Certification Consortium, show information security professionals are moving up in the corporate ranks.

The study notes that accountability for information security has risen up the management hierarchy and now rests with the board of directors and CEO, CISO or CSO. Nearly 21 percent of study respondents said their CEO is now ultimately responsible for information security (nearly double the 12 percent of respondents holding this opinion in 2004), and 73 percent said this trend will continue.

Complex security solutions, regulatory requirements, threat-technology advances and costly security breaches make it essential that organizations be proactive in guarding their digital assets. As a result, the CISO position focuses on risk management and is becoming more integrated with business functions. Security professionals must hone their technical and business skills to prepare for this role.

Independent validation of competency and experience, together with a commitment to the information security profession, are door-openers for those who aspire to move into the CISO position. Information security practitioners should consider the value of obtaining certifications from a professional security association to help further their careers. According to the GISWS, 90 percent of respondents involved in hiring view certifications as somewhat or very important when they're making hiring decisions. And more than 60 percent indicated they intend to acquire at least one information security certification within the next 12 months.

Career Building

There are two categories of information security certifications: vendor-neutral and vendor-specific. Both are helpful for career development. Vendor-specific credentials (such as from Cisco and Microsoft) are important ways to gain necessary skills. They need to be accompanied by certifications that demonstrate a broad foundation of knowledge and experience. The Certified Information Systems Security Professional (CISSP) and Certified Information Systems Auditor (CISA) certifications are sound choices.

When developing your career plan, look for help from associations offering career-building services and ongoing education, opportunities to demonstrate subject matter expertise, avenues for peer networking, access to industry research and volunteer opportunities.

A great resource for finding information security-focused educational institutions and organizations, professional associations, conferences and trade shows, online resources, and publications is ISC2's 2006 Resource Guide for Today's Information Security Professional, Global Edition. This free guide is available online ( see www.isc2.org/cgi-bin/content.cgi?page=920 ).

Security certification and experience will do you little good on their own, however. To rise through the technical ranks and become a CISO, you also must be able to communicate in business terms. You can do this by combining your technical expertise with expertise at communicating business value. You should be able to explain the benefits of security in terms of ROI, its value in improving the organization's ability to conduct business and the practical solutions it provides to problems - all interwoven with the organization's appetite for risk.