Security jobs are in the spotlight like never before, with the current heightened sensitivity to cyber-crime and national security. Add to that the fact that security was one of only three IT job categories that saw salary growth in the past year, according to a recent survey of 17 IT job families by Foote Partners LLC. With that in mind, eWEEK IT Careers Managing Editor Lisa Vaas recently spoke with Motorola Inc.s top security gun, Bill Boni, who in February 2000 became the first-ever chief information security officer for this $30 billion Schaumburg, Ill., manufacturer of cell phones, pagers and network products.
So what does it take to become a CSO (chief security officer)? An extensive résumé, for one thing. Bonis spans 25 years of security work. He is an expert on espionage and cyber-crimes directed against American high-tech corporations. That curriculum vitae includes assignments as a U.S. Army counterintelligence officer, as a federal agent and investigator, as a security consultant, as vice president of information security for First Interstate Bank, and as project security officer for government “Star Wars” programs and other defense work with Hughes Aircraft Co.
eWeek: Whats a typical career path for a CSO?
Boni: There isnt a standard career path development. People who end up with this responsibility come, most of the time, from a technical organization background: IS or IT. For a significant part or a majority of their careers, [CSOs] must have worked at a managerial level. … A purely technological approach will be insufficient to deal with the complexities of risk youll be required to address. Theres no binary solution in information security: i.e., if you do this, youre secure; if you dont do this, youre not secure. Its an imprecise art of putting together technological, procedural and operational safeguards to bring risk to an acceptable [level].
It takes an interesting combination of technical understanding and skill, management skills, persistence, and maybe commitment to doing the right things the right way to be successful in this job in the long run. Its a constant balancing act, knowing when and where and how to draw the line and how to balance competing priorities.
eWeek: What certifications do you hold or would you recommend for prospective CSOs?
Boni: I hold the [Certified Information Systems Auditor] certification from [Information Systems Audit and Control Association, a global IT audit organization, at www.isaca.org]. The reason why this certification is important for prospective security professionals is youll find that by the time you get to the C level, youre dealing with risk. Technological aspects are important, but an audit background gives you a framework for assessing risk and considering controls and alternatives.
I also have the [Certified Protection Professional certification] from the American Society for Industrial Security International [at www.asisonline.org].
eWeek: Security is seen as one of the last safe harbors for IT salary growth and job security. Is that warranted?
Boni: Anyone whos attracted to the job classification du jour because it pays more money than competing specializations probably doesnt have the mind-set to be successful in that field. True, its a supply-and-demand issue in part. In the aftermath of Sept. 11 and the ongoing warnings we receive from government officials at the prospect of cyber-attacks, theres a sense of, “Is our organization doing enough? One thing we can do right away is get somebody whos the responsible person for [security].” So more organizations will appoint a senior-level security person.
Im not sure thats going to be a continuing trend. As organizations realize or feel a need for those senior positions, it will end up being the same as with physical [facilities] security directors. Seventy percent of organizations have a corporate [facilities] security official. Well probably plateau at 70 percent of Fortune 500 companies with C-level people in charge of information security.
What It Takes to Be a CSO – Page 2
eWeek: Does a government background make you well-suited for private-sector security work?
Boni: Government can be a solid background, but I wouldnt assume its the only one or necessarily the best. When youre dealing with military or law enforcement, they have different priorities. It can be difficult for people who come from those hierarchical and authoritarian organizations to deal with persuasion and to influence management effectively. If Im working in the military, I can [make you do as I tell you to, or else I will] handcuff you and take you to jail. In the public sector, security kicks in because peoples lives are at stake. In the case of business, youre rarely dealing with criminal offenses or life-and-death issues. Youre more dealing with how this will impact business opportunity positively or negatively.
[The private sector] has its own pressures and responsibilities. [You may] face the prospect of being summoned to the CEOs office to explain how the companys premier Web site was defaced or the production line was brought down by the impact of a computer virus impacting inadequately protected machines. The pressures are real and constant.
eWeek: Motorola is second only to IBM when it comes to churning out patents in this country. Considering how much information you have to protect, you must have one of the least-boring jobs in IT, yes?
Boni: You cant anticipate any given week whats going to happen. Its a combination of change in technologies and in the risk environment. They all … keep you challenged and growing. Youre always having a chance to learn and grow.
This is the job I trained in and worked toward for 25 years. Im now in the position of living the role I always dreamed Id be able to do in a leading technology company. Anybody who aspires, its possible to do it. It may take time and effort, but keep focused, and youll have the chance to make the contribution I dreamed of making.
Related story:
- Whats a Chief Security Officer Make?