Sunday, July 03, 2005

CSO (Chief Security Officers) and general security issues

I was recently involved in a discussion concerning the apparent elevation of Information Security professionals in the business world. Many companies are now hiring managers into management slots that did not exist before, creating a 'department within a department' (within the IS/IT department). The gist of the discussion was questioning whether this heralded the true elevation of this specialty but quickly turned into what I will call a 'complaint' about the skills of management. Here is my reply:

I do not dispute the "generality" that many managers are not up to the technical level of their employees. I further stipulate that Security Managers may be a little closer in technical ability. The reason for this may be the nascent nature of the management specialty.

However, the reality of the (quoted as generalization from earlier comments in the thread) "Managers, of any type/level, are the middle guys assigned to make sure, those under them, those processes and procedures get implement on time, and under budget. Granted, security managers, in a worse case scenario, are probably the very few who can step in and roll up their sleeves, but for the most part, it's the grunts who do the work." argument depends on many factors. Not the least of which is the flatness of the organization.

I managed a 7 person organization responsible for *all* aspects of telecommunications *and* Information Technology for a company of 1200 employees with 450 nodes on the WAN in 4 locations, 150 mobile employees with laptops, a mainframe, large Unix server, Novell, and 2 WinNT machines running ERP, File/Print/Authentication services, and custom developed applications. I spent only 40% of my time managing and 60% of my time doing 'real work'. I am sure there are many more managers that also do 'real work'.

Mark Twain said "All generalizations are false, including this one." It was okay to use the generalization to make a point but this thread has turned the generalization into the point, which is false. Let's try to remember this.

As for the original point, it is about time the Security field got more recognition. I am happy to see the growth of this as a specialty and have long felt that it should be. Many organizations are actually hiring CSO's (Chief Security Officers). I would like to turn this thread to a discussion of whether these changes are cosmetic or real.

It is one thing to hire a manager in a specialty. It is another to spend money on projects in that discipline. Are these companies putting their money where their" managers are or just "paying lip service" to it?

What do you think? Talk back to me...

Chief Security Officer
working managers

No comments: