I was attending the CIO Dialog this week, and while sitting there listening to one speaker, a train of thought started, and it was initiated by his statement that we (by that he meant other CIO's in the room) were once called Data Centre Managers, and then IT Managers, then IT Directors, and now CIO's. This got me thinking about why we don't see many security people as CIO's.
Within minutes, I came to the realisation that all CIO's should come from a security background. Concerned that I may be thinking complete nonsense, I decided to test this out with one of my friends who was a CIO, and came from a security background - Martyn Croft, CIO, The Salvation Army.
I don't know many CIO's, but have know many IT Managers and IT Directors, and I have been familiar with their backgrounds - most of them came from a programming background, became analysts, project managers, etc. and after several years of getting their hands dirty with organisational politics and understanding the business, became the head.
Pausing here, I should really point out that I believe that all good security people must have a good programming background. Why? Because whatever high or low figures you use, more than 50% of vulnerabilities still arise as a result of the code. And I believe that security professionals with a good programming background have a better understanding of the exploits, threats and risks that such vulnerabilities expose the business to than those without that background. Also, that they are better able to respond to quickly in a incident handling situation.
So, should all security professionals come from a programming background, No! There plenty of good security managers around who are from many varied backgrounds and are some of the best in the field. I'm only suggesting that having a programming background enables one to appreciate vulnerabilities in ways that non-programming employees may not be able to.
This then can lead us to ask, if (and let's just still keep it as an if) all security managers have a programming background, what then is the difference in the experience between a senior manager in an IT department and a security manager in terms of what experience they offer to the role of a CIO?
A CIO from an IT department background is likely not necessarily to have a programming background, but a wider background that may include telecoms, infrastructure, and experience in analysis, planning, implementation, delivery, etc. (Several other areas are easy to attach, but I'm keeping it simple). The security manager from a programming background would possibly also have much of the above, but in addition, (and I would say most importantly) experience with a wider understanding of risk (and possibly also selling it to the business), understanding of compliance auditing, governance, selling / promoting intangible benefits to the business, balancing business benefits and risks, physical security, etc. etc.
I appreciate that this is not a well formed argument, (but then this a blog), so I decided to check my thinking and badly formed argument with Martyn Croft, that 'security professionals with a programming background make better security managers, and that CIO's with a security background offer a wider portfolio of experience than not'. He agreed. It's great to put words in people's mouths isn't it?
Given that most of the readership of this blog are security people, let me know what your thoughts are.