The role of the Certified Information Security Manager (CISM) is changing from a technology focus to more of a business focus, according to a survey by IT governance, control, security and assurance organization ISACA.
“The whole area of computer security is maturing,” said Bruce Wilkins, president and CEO of TWM Associates and CISM chair for the Test Enhancement Committee at ISACA. “The mystery when we speak of security is becoming more accepted in the business place. So as a result, we’re starting to see the need for true managers. [There are] business managers now who are experts in security in some discipline.”
The survey — titled “Information Security Career Progression Survey Results” — was taken by more than 1,400 CISMs in 83 countries and revealed that they are moving up into management ranks and taking on more business-focused responsibilities. The most common activities performed by CISMs are risk management; security program management; data security; policy creation; and maintenance and regulatory compliance, according to the survey.
Companies aren’t looking for technicians who run scripts or security-automated tools to become CISMs, Wilkins said. Organizations are increasingly finding a need for the CISM to move out of the IT arena and serve a corporate assurance function. Employers are asking, “How can I use security so that it complements what the company is trying to do in the marketplace?” “[Companies] need businesspeople — people with a vision,” Wilkins said. “It’s about that person with the big idea,…
Please log in or subscribe to read this article