Interop Preview: Chief Security Officer Boot Camp

Would you like to become a chief security officer someday? If so, there are some steps you should be taking right now to make that happen, said John P. Pironti, chief information risk strategist at Getronics, and the head of the CSO Boot Camp at Interop in Las Vegas. While the conference runs Sunday, May 20, to Friday, May 25, the CSO Boot Camp is being held Sunday and Monday only. The first generation of CSOs was largely made up of high-tech professionals who knew the threats, the networks, and the technology. That first wave of CSOs is being overtaken now by the more business-focused second wave. That means any techies who want to get into those CSO positions had better understand budgets and the politics of business as well as they understand the most complicated of infrastructures. "Today, a lot of CSOs are coming up from a business background and they appreciate technology," said Pironti in an interview with InformationWeek. "It's definitely going to be harder [for someone with a technical background], but we're helping them bridge that gap at boot camp. We want them to understand the business issues as well as the technical issues." Pironti said the boot camp is for both the CSO wannabe and for those who already are in the position but want to bone up on their skills. "In boot camp, we're assuming you understand the technology part but we want to help you understand the business better -- global challenges versus local challenges, how to function in the politics of the organization, how to manage the finances," Pironti said. "Some tech guys have never had to communicate to the management team or handle a budget before." For those technical professionals looking to step up into a CSO role, Pironti said there are five ideas to realize or skills to master:

Think business and not technology. Remember that a CSO is really servicing the business. Appreciate that the technology is always chasing the problem. "Everything we do and bring to the table is business enabling," said Pironti. "First, you need to understand the problem and then you use technology to solve it." Be proactive. Understand the threats that are going to be coming at your organization. Try to figure out what the threats are before they're pounding on your door. Pironti said a good CSO has a firm handle on the likelihood of what could happen and the business impact it would have on the company. "There are a million things that could happen to you, but what is most likely to happen to you?" he asked. Know how to communicate beyond your own world. How well do you effectively communicate within the business environment? A lot of people in the security field are good at talking in technical terms but they're not quite so skilled at communicating in a meaningful way to the suits who hold the purse strings. A good CSO has to be able to adapt to different environments. "How do you embed information security into the everyday?" asked Pironti. "You have to take all this information you've gathered and get those who need to understand it to understand it. Management teams want to see PowerPoints and numbers. That's what they understand. Know your audience. Understand the corporate culture. Understand how people learn." Learn to create a culture of secure code. You need to be able to create a culture where people feel they can spend the time to really sit down and write better, more secure code. Make sure you focus on that programming community. CSOs need to be able to put the right controls and processes in place so developers are given the opportunity to build code that is flawless, or as close to flawless as possible, Pironti said. It's about enabling the programmers to do their jobs to the best of their abilities. Figure out where the problems generally stem from, then go there and fix them. Metrics, metrics, metrics! CSOs have to be able to prove that what they're doing is working well and getting better. "In order to become a CSO you need to know how to develop, report, and analyze metrics," said Pironti. "First, you have to understand what you should measure; what is meaningful and what is not; how to analyze the metrics you get; and then how to report them to different audiences. If you're running a business department, you need to justify resources and investments. This is about making [the information security program] a repeatable, sustainable business process that can be cost contained and show value on a regular business."