What makes a good information security officer?

The UK government aims to improve levels of professionalism in information assurance and cyber defence across the public and private sector. But its cyber security strategy is based on the assumption that the UK is insufficiently prepared to counter the current and imminently expected cyber onslaught from both organised crime and foreign nation states.

This begs the question: what makes a good and professional chief information security officer (CISO), and what should his or her role be within the company?

Stuart Aston, chief security adviser at Microsoft, believes a combination of business and communications ability is more important than a technical background. “Most particularly,” he says, “the CISO must be a good communicator, able to communicate the importance of infosec to all levels, and translate the needs of the board into actionable activities by the information security team.”

Amanda Finch, general manager at the Institute of Information Security Professionals, and herself CISO of the year in 2007, agrees on this hybrid personality. She says a good CISO “needs a strategic mindset to be able to look at the changing threat landscape, changes in technology and working practices and be able to interpret how this will affect the organisation. Strong communication skills are paramount, with the ability to influence at board level to ensure appropriate programmes are realised, but also to evangelise across the organisation at all levels to engender a strong security culture”.

The professionalisation of security needs to be targeted more at companies than individuals

The question then becomes are such people available, and if so, are they being employed? Tim Holman, the UK president of the Information Systems Security Association (ISSA-UK) thinks yes to the first, but maybe no to the second. “There are so many good security leaders I know through my work at the ISSA-UK, but they feel they would be taking a huge career risk by even considering some of the CISO roles that are on offer today. It’s as if boards just want somebody to blame – and that’s got to change.”

Perhaps then, the professionalisation of security and the government’s efforts, need to be targeted more at companies than at individuals. Note for example that it was only after its security breaches affected 100 million customers that Sony began to take security seriously and appointed Philip Reitinger from the US Department of Homeland Security as its new CISO.

In the government’s recent Cyber Security Strategy report, it aims to encourage the development of “a community of ‘ethical hackers’ in the UK to ensure that our networks are robustly protected”. Let’s not quibble about the original meaning of hacker; today it simply means someone who breaks into computers. So, in the process of professionalising security, is it ever a good idea to employ an ex-hacker?

“No,” says Tim Holman pragmatically, “because all the good hackers are still in jail or are banned from using computer equipment. I know some ex-hackers that have learnt from their past experience, but would you ever really trust these guys?” John Morrison, managing director of Sapphire, agrees: “They are wired the wrong way and have the wrong mindset.”

But Mickey Boodaei, chief executive of Trusteer, says: “Ex-hackers can give the good guys an important edge in this fight.” And Steve Watts, co-founder of SecurEnvoy, concurs: “What better than turning the hunted into the hunter?”

According to Microsoft’s Mr Aston: “We need to distinguish between the guy who develops an exploit and releases it into the wild, and the researcher who develops an exploit purely as a proof of concept, without ever disclosing it irresponsibly. The second person here demonstrates two valuable characteristics: a technical understanding of infosecurity and a high degree of moral responsibility. The same cannot be said for the first. Since security is all about trust, you need to ask yours elf whichof these two people you would trust to protect your data. However, dismissing both categories automatically excludes a potentially valuable resource that could prove beneficial.”

Nowhere in the government’s strategy report does it suggest that we are not sufficiently using a particularly valuable resource: women. Yet by far the majority of security professionals are men. Why is this – are women unsuited to computers and computer security?

Amanda Finch believes that some historical stereotyping is still at play. In this old stereotype, men like doing and women like creating: men like tinkering with the technical workings of security while women would prefer to use security to create a better workplace and environment. But “the industry has changed over time and become more mainstream,” she says. “The emphasis is now on using risk management and user education to protect information. I think that this has helped to attract more women into the industry.”

Bev Robb, an American IT consultant with a speciality in security and the online handle “teksquisite”, agrees with the historical stereotyping, and believes the solution, broadly speaking, lies in education. “Education begins in the home,” she says. “The next step up is schooling, then mentoring. Parenting should expose children to all potential academic resources available, in order to give them myriad options to choose from. If the educational opportunities at home are minimal, then it is essential that opportunities at the school level become available. We also need more female mentors who are willing to offer their expertise to inspire eligible women candidates.”

One thing seems clear: whether the lack of women in the early days of security was down to biology or stereotyping, the evolving professionalisation of security is changing things. The new role of chief information security officer will attract more, and benefit from, greater female involvement.

The professionalisation of security has come a long way, but there is much still to be done. There are excellent security professionals around, but their role needs to be given more prominence within business. It is not so much the individuals that need training; companies need to give more credence to the need for security and the security professionals they already have.

In other areas, judicious use of exhackers could increase the professional knowledge of the security team, but companies must think very carefully before bringing them into the professional management of security.

And finally, if business is ever going to treat security really professionally, it needs to take an axe to the glass ceiling and unleash the enormous potential of women in security management.