I read the most excellent blog post from Dave Shackleford It is NOT time to “professionalize” information security.
He could not have been more right when he said “The infosec industry needs creativity. It needs people who don’t fit the mold, who would rather set a kitten on fire than wear a tie…” Dave was pushing back against this post from Brian Honan Is it time to professionalize information security? Dave is right, Brian is wrong, but they are both missing the point.
If professionalization means certification to avoid charlatans (Brian’s point) that is a complete waste of time (Dave’s point). All I have to say is “CISSP” and I pretty much feel the argument is over.
Security departments are in transformation. They have been splitting into security operations and governance/risk management groups who own the policy, authority, business interface, and most of the decision making led by a CISO or CRO. See the graphic to understand the relationships.
Security ops is where kittens need to be very afraid. I want the smartest, craziest, out of the box thinkers on my ops team, but the evolving nature of infosec in large organizations REQUIRES people who at least own a suit. But forget the suit, they need to have the smallest understanding of their business.
This business alignment crap is not crap, although it has been treated as crap by generations of security professionals. Where do you think your funding comes from? If you said FUD, you would be right for the previous decade, but that can’t be the answer for the next decade.
Gartner data shows that 80% of the G2000 will require at least annual reporting to their board of director on the state of security and IT risk. This will require at least some understanding of the impact IT risk and security has on your business.
You don’t have to go to business school but you can’t remain ignorant of your own business.
There has been a major trend for more than 5 years now to hire CISOs with no background in security, but they have program management skills, an understanding of their business, and a track record of success in fixing problem areas in the enterprise.
This is one area I disagree with Dave. He implies that infosec doesn’t need fixing, and it desperately does. On that point, though, we are probably talking about two entirely different aspects of information security.
It is a good time to get into security and IT risk management, but that comes with some challenges that I have chronicled in this post: The Demand for Security Skills is not Improving Security Execution.
The bottom line is that it is very hard to develop a mature security program when you can’t find experienced resources that know program management AND security technology.
- Consider hiring from within, someone who knows your company and IT, and a desire to learn the security skills.
- Prioritize program management experience over technology skills if you’re looking for a security manager or CISO.
So the only person I completely disagree with is Brian. Professionalization (certification) is a distraction, plus we already have it and it already doesn’t work. But we do need more professionals in information security. Including some who can light kittens on fire.
Paul Proctor, CISSP, CISM
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.