Ascension Blog

This is another question that I have received via email.  As with many questions, there are no generic answers.  My answer is typically “It depends.” So much depends on the organization and its corporate culture.  That said, here is my attempt to generically answer the question. 

As I am sure everyone involved with this discussion will argue, at least on even par with the CIO. I agree with that argument whole-heartedly but the sad reality is that all too often the CSO or Network Security group is an element of the IT department under the CIO. The line of thinking that places us there is that since the devices we oversee are IT assets, that is the most appropriate place for us.

Ideally the CSO should answer directly to the CEO or COO and be on the same level or above the CIO. That said, not many of our colleagues sitting in these positions find themselves so positioned. The trick becomes how to be effective from a disadvantageous position.

Network Security should enable business, not hinder it. Why not leverage this to push our agenda. As an enabler, we need to facilitate change through sound business practices and by becoming the ultimate team player. That does not mean compromising our ethics with regard to security. In my opinion, anyone who finds himself in a position where they need to compromise their ethics probably was ineffective in delivering or framing their argument for security.

A good leader is also a good listener. Listening to the needs of business and formulating ways to meet the business need while being secure is the key to success in the CSO position. Granted, there will be times where we may find ourselves up against roadblocks and we cannot win every battle. An occasional roadblock or defeat can be dealt with but if we are faced with a systematic disregard for security then we need to ask ourselves two questions: Why did the company really create this position and why do I really want to stay here if I am not being effective?

I like beer (bear with me here - I’ll tie back into the topic). I use to have a girlfriend back before I got married who hated beer. While she didn’t have a problem with me having a few cold one’s occasionally, she kept asking me why I liked beer. She just couldn’t understand how anyone could like the taste. I told her that she just hadn’t had a beer she liked yet but that there were hundreds of different varieties. She of course didn’t believe me until I cooked dinner for her one night. At dinner, I served a Raspberry Lambic (beer). She commented on how wonderful the dinner was (I went to Culinary School after college, classically French trained) and how wonderful the Raspberry Champagne was, wherever did I find it. Imagine her astonishment when I told her that it wasn’t champagne but beer.

The point is that my ex-girlfriend thought she didn’t like beer but in reality she just hadn’t tried a beer she liked yet. Information Security is a lot like that.  If you keep serving up the same old beer time and time again when you know that your boss doesn’t like it then you deserve to have it thrown back in your face. By switching tactics and attempting to give your boss something that they think they want and then tell them that not only does it taste good but it something that they thought they didn’t want in the first place will probably be met with a different outcome.

We need to be educators.  We need to deliver our message in such a way that we keep our audience receptive to what we are saying and educate them in why this should be important to them. If we are “organizationally challenged,” that does not mean that we cannot be effective; the job is definitely harder but nothing worthwhile is easy.

Often the org-charts place security where the organization feels it best fits. This is sometimes indicative of the importance the organization places on Information Security (and sometimes it is just where it is without any meaning whatsoever). Our jobs are to change that perception, relate what we do to our business’s mission, and show that by adopting secure practices business, the mission will become more effective.  In short - our jobs are to educate.

This entry was posted on Tuesday, July 15th, 2008 at 4:23 pm and is filed under Questions.You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.