Earlier this week, I caught an article by Eric Chabrow about the increase in cybersecurity/infosec leadership programs. This is something that is long overdue – putting actual education behind the idea that leading information security requires a different perspective than practicing it. There is a tremendous amount of training and education available for practitioners – everything from undergraduate programs, to certifications (i.e., CISSP), to CPE – but relatively little programmatic training for leaders outside of books (e.g., The P-CSO).
When talking to customers, I can tell pretty quickly where, individually, they stand on the spectrum between pure security experts and security/business liaisons (if I look at the two programs Eric Chabrow talks about – CMU and U of MD, security/business liaisons are exactly the types of folks they are looking to turn out).
Practitioners have focus – look at technology, understand risk and threats, and generally adopt a risk-averse perspective. They’re focused on risk, not necessarily benefit. Security leaders, on the other hand, act as that security/business liaison, and look closely at both sides of the equation – both risk and business return on that risk.
This isn’t news to anybody, and there are plenty of practitioners who natively understand both sides of the equation (many are Palo Alto Networks customers). Unfortunately, many practitioners end up in charge of security with neither the natural affinity for the role, nor the training required to fulfill it.
Obviously, this is near and dear to my heart, given Palo Alto Networks’ focus on safe application enablement – the idea that applications are good, carry risk, and should be treated accordingly. What that means depends on the application and the business, but generally there's a lot of "allow, but..." policy statements that enable certain groups to use certain aspects of an application in certain ways, with appropriate content (i.e., no threats). The more security leaders have the perspective that high-risk, high-reward applications should be safely enabled for the overall good of the business, the better the overall state of information security.