Make security a business issue

Chief information security officers (CISOs) who learn to speak the language of the executive suite can look forward to lifetime careers, but those who know only "geek speak" will find themselves left behind.

That view held sway among the information technology security officials gathered this week in Bethesda, Md., at the annual conference of the Federal Information Systems Security Educators’ Association’s (FISSEA).

To have an effective information security program, agencies need a CISO "who can communicate well in business terms," said James Golden, IT governance executive at the U.S. Postal Service. He added that a CISO's position within an organizational chart is less important than whether the person can communicate comfortably and effectively with senior officials.

Under federal law, CISOs report to agencies' chief information officers, which has meant that many federal CISOs have an IT background, said Jane Norris, senior information security official at the State Department.

But a trend now seen in business could influence how the federal CISO's position evolves, Norris said, citing a Forrester Research estimate that 75 percent of the largest companies will have a chief risk officer by 2007.

Norris said other security experts believe that a legal background and professional certification, in addition to IT experience, may become prerequisites for chief security officials. The profession is changing rapidly, she said, "so where we are going is open at this point."

FISSEA is a national group that promotes awareness, training and education in IT systems security. Since November 2004, it has conducted free security education and awareness workshops for more than 100 federal employees and contractors.