Panelists discuss path to top IT security job

To become a chief information security officer, learn to speak and write succinctly. That was the advice from a panel of successful CISOs to system and network administrators who aspire to become security executives.

“Think crisply, and write well,” said Jane Scott Norris, the State Department’s CISO. Speaking today at the Computer Security Institute's conference and exhibition in Washington, D.C., Norris said information security executives must be able to present a case for action in one page—no more. To prepare for the executive suite, “get your thinking really succinct,” she said.

Another speaker, Bill Hancock, vice president of global security solutions and chief security officer at Savvis Communications, said writing is a skill he expects his staff members to master. “A security person writes a lot—white papers, PowerPoint slides,” he said.

A CISO needs a balance of technical and management skills, Norris added. “You need to know enough about management so you can fit in and enough about technology so you don’t get snowed.”

No direct path exists from the CISO’s office to the chief executive or senior agency executive’s office, panelists agreed during a discussion of the evolving role of CISOs. The path to the chief executive officer’s office runs through the office of the chief financial officer, said Jennifer Bayuk, CISO and managing director of information security at Bear, Stearns and Co. “Become a CPA and then get promoted to CFO,” she said.

Panelist Terri Curran, director of information security at Bose, said her advice to security administrators in their 20s who want to become CISOs is to be patient. “It takes a long time to become a CISO that your management is going to trust. Patience is key.”