“’Tis but thy name that is my enemy” wrote Shakespeare. And the same might be said for many professionals operating in the Information Security field. Job titles are proliferating to the extent that it’s becoming difficult for managers and security vendors to figure just where to direct enquiries. I was mindful of this recently when a colleague in a large organisation asked me for advice on job titles for his growing security community.
There’s certainly a lot of choice. Contemporary labels such as “security”, “privacy”, “risk”, “compliance” and “assurance might underpin similar activities, but they convey very different meanings. To a lay person, the first one sounds as though it stops people stealing things; the second as though it champions the human rights of staff; the third as though it protects investments; the fourth as though it sets out to find faults with managers; and the last as though it’s a quality check. And none of these terms sound remotely technical, unless you add a prefix such as “electronic”, which is surprisingly rare, though it can add a much-needed touch of glamour to what’s generally perceived as a dull subject area. “Digital” is used by at least one big organisation, but to my ears it sounds a little quirky, though it’s clearly better than “analogue”. The old-fashioned prefix of “computer” was effective in its day, leaving no doubt about its scope, but that’s now far too narrow.
On top of all this confusion we tend to adopt confusing qualifiers such as adviser, consultant, architect, officer, manager or even evangelist. To me, the first two conjure up that classic Head Office function, the one that instructs mangers what to do without providing any real assistance or having any real clout. The term “architect” is a daring one. It brings to mind someone who’s likely to be well qualified but quite detached from the sharp end of the business. And of course the term “evangelist” can only describe either a salesman or a fanatic. Only the term “manager” suggests any real footing in business reality, but it’s less imaginative. “CISO” still seems to be the job title to which most professionals aspire, though it means little to a business person. But the use of “CxO” titles continues to spread. The latest one is “Chief Privacy Officer”. It’s an interesting one to watch as being accountable for such a subject area can be dangerous ground for non-legal types. Another variant is “CRO” (where “R” stands for risk) but for me the jury is still out on the effectiveness of centrally coordinated enterprise risk management programmes.
Job titles should be selected with care because they help outsiders understand the function a professional is there to perform. “Security” has always worked reasonably well because it’s self explanatory. I’m less taken with the growing fashion in the public sector for “information assurance” which is not at all obvious to the average lay person. It also suggests additional skills not generally found in security, such as data or information management. (When do you last meet a security professional who was proficient in designing enterprise data architectures and taxonomies?) But job titles are important for enhancing peoples’ self-esteem and enabling their professional development. And, more importantly, for enhancing CVs. They also cost nothing, unless of course you happen to be benchmarking salaries. At the end of the day however we shouldn’t forget that the only job title that really counts for anything is the select, all-powerful one of “owner”. Unless of course you prefer the more hubristic title of “master”.