The role of the Certified Information Security Manager (CISM) is changing from a technology focus to more of a business focus, according to a survey by IT governance, control, security and assurance organization ISACA.
“The whole area of computer security is maturing,” said Bruce Wilkins, president and CEO of TWM Associates and CISM chair for the Test Enhancement Committee at ISACA. “The mystery when we speak of security is becoming more accepted in the business place. So as a result, we’re starting to see the need for true managers. [There are] business managers now who are experts in security in some discipline.”
The survey — titled “Information Security Career Progression Survey Results” — was taken by more than 1,400 CISMs in 83 countries and revealed that they are moving up into management ranks and taking on more business-focused responsibilities. The most common activities performed by CISMs are risk management; security program management; data security; policy creation; and maintenance and regulatory compliance, according to the survey.
Companies aren’t looking for technicians who run scripts or security-automated tools to become CISMs, Wilkins said. Organizations are increasingly finding a need for the CISM to move out of the IT arena and serve a corporate assurance function. Employers are asking, “How can I use security so that it complements what the company is trying to do in the marketplace?” “[Companies] need businesspeople — people with a vision,” Wilkins said. “It’s about that person with the big idea, with the vision from the security perspective, that complements where the business is going.”
As stated in the survey: “The role of information security manager is evolving to be one that focuses on the application of technology to solve business problems rather than being a purely technical specialization.”
The Future of the CISM
The role of the security manager will be more specialized and likely will not change to a generalized manager, Wilkins said. “The concept of a generalized manager is, once you graduate from Harvard, you can manage anything,” Wilkins said. “But security managers have to grow up into [the discipline] to understand all the nuances of what they’re doing.”
Even as the industry evolves, Wilkins said the need for a CISM always will be there. He added this is an interesting time for information security managers because, according to the survey, people look at the CISM as a career progression — a role that might not befit a technician.
“The technician runs automated tools to check the security posture of a Unix box or a Cisco router,” he said. Companies need to understand that the CISM may not be the best security person in the organization but is generally the best manager who understands security and its connotations.
“There are many disciplines in security, and CISMs are not expected to be familiar with all of them. But a working knowledge in all of them [is needed],” Wilkins added.