But to keep company execs interested in the next CD, so to speak, the IT security professional needs to have a mix of abilities -- including a penchant for adapting to rapid technological change, a knack for bonding with people outside IT and an understanding that threats in the physical world could impact the corner of cyberspace you're trying to protect.
David Sherry, vice president of enterprise identity and access management for Citizens Financial Group in Rhode Island, played up the geek-to-rock-star theme in one of his conference presentations, saying that information security was once viewed as a hindrance to company policy and growth. But the IT professional's stock has risen as security risks become more apparent to the top brass.
"At one time we were just a cost center, a necessary part of doing business that didn't provide a lot of value," he said. "Now, because of our identity management initiative, we actually had a department call us rock stars … by getting people on quicker and helping departments remain compliant we are enabling the business to grow and remain secure, keeping our CEO's name off the front page of The Boston Globe. We are becoming rock stars, being asked to come to the table instead of being shunned."
But as musical stars know, it takes a lot of work to keep the audience coming back for the next song, and the same reality applies for an IT security rock star, Sherry said. You have to show consistent progress. The top execs may love your initial proposal and let you run with it, but they need to see that what you've put in place actually works over the long haul.
Part of making a security routine a long-term success is the IT officer's ability to foresee how future changes in technology will ultimately affect the company's operations. In other words, they must be able to see change coming and update security policies to meet it, said Pamela Fusco, executive director of security solutions for FishNet Security and former executive vice president of global information security for Citigroup Technology Infrastructure (CTI).
"Technological changes are bringing about significant unforeseen consequences," Fusco said. "Whatever we put in place today has a lifecycle of about five years, and we need to be thinking ahead. If you're installing Windows Vista today, you need to start thinking about what will be in the next version of Vista. Do you think there won't be any more patches because of Vista? Of course not."
IT shops will eventually want Vista anyway because it's the latest Microsoft has to offer, she said. The key is to understand it won't be the last major upgrade you'll ever have to make.
To be successful at ushering in change, Fusco said, IT professionals must have a positive attitude, invite colleagues to collaborate in the process and acknowledge mistakes, which are inevitable.
"Change brings mistakes, frustration and finger-pointing," she said. "It can be viewed negatively for fear of the unknown. You need to be able to explain why something is needed and define the expected outcome. Be positive, celebrate successes and failures and communicate the milestones."
Another key to rock star status is the ability to keep tabs on data traveling outside the company, according to Anne Oribello, senior information security analyst for Genzyme .
"A common problem is that people focus strictly on getting their internal infrastructure up to speed without paying attention to the fact that some of their data is going outside," she said. One key to tracking that data is to have a good relationship with people in departments outside of IT. Having a good relationship with someone in the purchasing department, for example, can make the IT professional more aware of where data from that department may be traveling.
One department it's important to keep in touch with is the one that handles physical security, according to Ernest Hayden, CISO for the Port of Seattle, and Dennis Treece, director of corporate security for the Massachusetts Port Authority.
After all, they said, threats that affect an organisation's physical buildings and grounds can have an ultimate impact on the organisation's IT security.
"There are real benefits to having the physical and IT security people on the same page," Hayden said. To ensure that different departments are on the same page, he said the Port of Seattle has a corporate security coordination committee.
To create more security rock starts in the future, Treece said a better academic program is needed.
"One of the big issues for me is that I want to see a recognised degree program to prepare people for the converged role of CSO and CISO," he said, adding that he hopes to play a role in creating such a program.
This was first published in March 2007