Saturday, September 26, 2009

Is a CISO an expert generalist?

CISO = Chief Information Security Officer
The title "Responsible for the Security of the Information System" is prefered in Romance languages. The common abbreviation is RSSI.
Both titles relate to a quite new position in a company: the guy who cares about the security of the information system. Has to organize the work, set up objectives and, most of the time, provide technical knowledge to other IT teams. Has to know a lot about a lot of things to apprehend all situations in the information system. Kind of a generalist guy.

As this is a position I have much respect for (mine!), I was a little puzzled by Anton Chuvakin's post about the myth of an expert generalist, where it is argued that being someone who knows a little about everything is not a good career choice. Later on, Richard Bejtlich also questioned security careers and I came to ask me a fundamental question:
  • Am I becoming an expert generalist?
However, I reassured myself quite soon. Yes, the CISO works in all fields of IT security + physical security + management... but there is indeed a speciality in all this. The CISO has to know the information system of the company well enough to be able to answer whether a security practice/project/product is worth it.

In a company, the whole thing security is about is exchanging costly uncertainties for cheaper certainties. And the transition from one to the other has a price. The CISO has his primary skill in examining the benefits and implementing such changes.

While this may seem related to risk management, I think there is a real difference: risk management focuses on producing scenarios and estimations of risks. That is: speculating on the unknown*. This has been largely criticized recently in security blogs.
I prefer to see security as decisions made on known facts: costs, lost hours of work, customers' satisfaction, etc.

So to the question "Am I becoming an expert generalist?" my answer is no. My role is more on management, choices and strategies. And I love it. And I can still technically specialize on whatever field I like better.


*What do you actually know about the probability of a hacker intruding your databases? What do you actually know about the probability of HR data being leaked by mistake? What do you know about the probability of a server hardware crash? Now how do you calculate risks and prioritize them?

EDIT 10/01/2009: See also Richard Bejtlich's article "Risk-Based Security is the Emperor's New Clothes".