What It Takes to Be a CSO

Motorola Security Chief discusses experience, skills and certifications needed for this job.

Security jobs are in the spotlight like never before, with the current heightened sensitivity to cyber-crime and national security. Add to that the fact that security was one of only three IT job categories that saw salary growth in the past year, according to a recent survey of 17 IT job families by Foote Partners LLC. With that in mind, eWEEK IT Careers Managing Editor Lisa Vaas recently spoke with Motorola Inc.s top security gun, Bill Boni, who in February 2000 became the first-ever chief information security officer for this $30 billion Schaumburg, Ill., manufacturer of cell phones, pagers and network products.

So what does it take to become a CSO (chief security officer)? An extensive résumé, for one thing. Bonis spans 25 years of security work. He is an expert on espionage and cyber-crimes directed against American high-tech corporations. That curriculum vitae includes assignments as a U.S. Army counterintelligence officer, as a federal agent and investigator, as a security consultant, as vice president of information security for First Interstate Bank, and as project security officer for government "Star Wars" programs and other defense work with Hughes Aircraft Co.

eWeek: Whats a typical career path for a CSO?

Boni: There isnt a standard career path development. People who end up with this responsibility come, most of the time, from a technical organization background: IS or IT. For a significant part or a majority of their careers, [CSOs] must have worked at a managerial level. ... A purely technological approach will be insufficient to deal with the complexities of risk youll be required to address. Theres no binary solution in information security: i.e., if you do this, youre secure; if you dont do this, youre not secure. Its an imprecise art of putting together technological, procedural and operational safeguards to bring risk to an acceptable [level].

It takes an interesting combination of technical understanding and skill, management skills, persistence, and maybe commitment to doing the right things the right way to be successful in this job in the long run. Its a constant balancing act, knowing when and where and how to draw the line and how to balance competing priorities.

eWeek: What certifications do you hold or would you recommend for prospective CSOs?

Boni: I hold the [Certified Information Systems Auditor] certification from [Information Systems Audit and Control Association, a global IT audit organization, at www.isaca.org]. The reason why this certification is important for prospective security professionals is youll find that by the time you get to the C level, youre dealing with risk. Technological aspects are important, but an audit background gives you a framework for assessing risk and considering controls and alternatives.

I also have the [Certified Protection Professional certification] from the American Society for Industrial Security International [at www.asisonline.org].

eWeek: Security is seen as one of the last safe harbors for IT salary growth and job security. Is that warranted?

Boni: Anyone whos attracted to the job classification du jour because it pays more money than competing specializations probably doesnt have the mind-set to be successful in that field. True, its a supply-and-demand issue in part. In the aftermath of Sept. 11 and the ongoing warnings we receive from government officials at the prospect of cyber-attacks, theres a sense of, "Is our organization doing enough? One thing we can do right away is get somebody whos the responsible person for [security]." So more organizations will appoint a senior-level security person.

Im not sure thats going to be a continuing trend. As organizations realize or feel a need for those senior positions, it will end up being the same as with physical [facilities] security directors. Seventy percent of organizations have a corporate [facilities] security official. Well probably plateau at 70 percent of Fortune 500 companies with C-level people in charge of information security.