CISOs Don't Live on an IslandTeaming with the CIO to Address Common Security Goals
RSA Chief Information Security Officer Eddie Schwartz says he and other security officers used to think that if they could "just get a grip" on core IT security hygiene such as patch, asset and vulnerability management, for example, they could go a long way toward protecting their enterprises' IT.
But when Schwartz steps back from his day-to-do responsibilities as CISO to take a wider view of the security challenge, he wonders, "Are we, as security people, really the best people to do this anyway?"
The reality is that, if you look across IT, IT people are very good at so many things; they're much better at it in a lot of cases than security people are.
Schwartz isn't speaking of abdicating his responsibilities, but he understands that information security has evolved in recent years as technology and the threat to it has grown more sophisticated. That means closer collaboration with the IT organization has become a necessity for most enterprises.
"The reality is that, if you look across IT, IT people are very good at so many things; they're much better at it in a lot of cases than security people are," Schwartz says, in a conversation I had with him last week (we'll post that interview in the coming days). "They're better at managing SLAs (service-level agreements), they're better at managing all of these standards, in a lot of cases."
RSA recruited Schwartz as its CISO after a massive, advanced persistent threat breach against the security vendor's SecurID two-factor authentication product in 2011 [see RSA Says Hackers Take Aim At Its SecurID Products]. Schwartz had been serving as the chief security officer at NetWitness, a networking security provider that, like RSA, is owned by EMC, the data storage and services company [see RSA's CSO Tells Why He Took the Job].
"I built a fantastic partnership with RSA's CIO, where the CIO and other people within the IT organization help to drive results and excellence around some of the metrics that are critical in doing a good job with security," Schwartz says. "We shifted away from thinking of something as purely security problems and thinking of it as a shared space we all have, where we all share in the goals, where we share in the success or failure, and frankly, we're all rewarded by a good outcome if we do a good job. And, that's important."
RSA's approach to IT security is a necessity in today's marketplace that other organizations, whether in business or government, must replicate. As our analysis of federal government labor data reveals [see Infosec Job Growth Appears to Be Flat], there is virtually no growth in the number of people in the United States who consider themselves IT security professionals, not for a lack of demand for those skills, but because there are just not enough of them to go around.
Indeed, look at the greatest demand for IT security today [see 5 Most In-Demand Security Skills], and you'll see a synergy between IT and IT security: application, data and network security, where application developers along with the data and network managers will assume security as a core skill. IT security can't be an island of its own; it's part of a greater archipelago.