Gail Griffith sells houses for a living. But what interests her more than a nice 4-bedroom in a good school district are paper shredders — or, more specifically, the fact that her real estate office does not have them, even though mortgage applications contain personal details that can be used for identity theft.
“Security is in my heart. I can’t get away from it,” says Griffith, former deputy CISO of Delta Airlines in Atlanta. But, apparently, security has gotten away from her. For the past two years, since she took an early leave package from Delta, Griffith has been working for Metro Brokers — and growing increasingly frustrated about job prospects for information security practitioners who are more interested in strategy than in bits and bytes. In fact, she’s no longer actively looking for a job in her field.
“Mostly when you go looking at information security jobs, they’re looking for technical skills — for somebody to manage the network,” says Griffith, 56, who has decades of experience in IT and was a co-founder of Georgia’s influential Stop Identity Theft Network. “I’m just so far beyond that. Technology is just a tool.”
It’s enough to make me wonder if that old joke about CIO standing for “career is over” might return — this time, with CISO standing for “career is so over.” The saying didn’t prove true for CIOs, and I don’t think it will for CISOs, either. But we’re definitely in a lull.
“There are fewer jobs out there, and the question is, why?” says Lori Sabat, who runs an eponymous information security executive placement firm. “The jobs are in very specific areas, like application security, security architecture and high-level network engineering.”
Not that there aren’t CISO roles being created. The US Department of Treasury recently named AT&T’s Tim Hurr its first CISO. The federal government has embraced the role; the Department of Homeland Security has even created a CISO Forum. But there just aren’t as many new CISO positions as people like Sabat expected in industries like transportation, utilities and energy.
Everyone knows that, recovery or no, the job market stinks right now. But there’s more to it than that. Sabat says that the large number of mergers and acquisitions, especially in the financial services and pharmaceutical industries, means that there are fewer companies at which to place C-level security executives. More ominously, though, she suspects that companies are relying on vendors and consultants — not their own executives — to guide their information security efforts.
Case in point: After being let go as the CISO of Fidelity Investments, Bruce Moulton — who is well respected for his business savvy and his role as a co-founder of the Financial Services Information Sharing and Analysis Center — spent months looking for a job. Eventually, he landed not at another financial services company but as vice president of information security business strategy for Symantec.
That’s fine and dandy for him, and for Symantec’s customers. But you don’t need me to tell you that it’s incredibly short-sighted for companies to rely on vendors and consultants to think strategically about security. Even if day-to-day security operations can be outsourced, someone within the company needs to be managing vendors, advocating security at the boardroom level and finding ways for security to help the business meet its goals. In the long run, I think companies are going to realise it costs more, and is less effective, to outsource something so important. It’s just a matter of whether they’ll learn this the hard way.
Gail Griffith, for her part, might very well carve out a niche for herself as the security-conscious realtor. Maybe she’ll sell a few home alarm systems. She might even convince her new employer to invest in a paper shredder. But we’re just not going to find a way to stop the next MyDoom — or something worse — while people like her are selling real estate.
"Alarmed" is a biweekly column about security and privacy. Look for a new version every other Thursday.