Hi,

I dream of reaching the chief information security officer seat one day. I've been thinking of getting some CISSP and CISM certification but as well as a MBA or or Masters in information security?

cyeudoxus

That sounds like a good start to me. 

It was a bit of a non-question, but I'll throw in my 2 pesos.  There has been a major shift in the CISO role over the last few years.  It is moving away from the perspective of "do whatever it takes to secure our stuff" to "make sure you secure our stuff in a way that will meet our business needs."  Basically, they want someone that can tie information security to their bottom line.  If you look at some of the major Fortue 500 companies you'll notice that their CISO position has moved out from under the CIO/CTO to under the CFO/COO.  (Translation: out from under the IT geeks to under the finance geeks)  You are still expected to focus on securing the environment, but it is now much more of a risk vs reward scenario.  You'll have to answer why you dropped $2 million on new hardware in order to protect $1 million worth of data.  At this point in time you will get more bang for your buck getting the well-known generalist certs (CISM, CISSP) and then going for an MBA rather than loading up on the hands on certs and degrees in computer science and IT.

I just re-read that post and realized that I left out the rationale of why they are moving the CISO role.  If you think about it, the CISO and the CIO/CTO (chief information/technology officer) roles are direct contradictions of each other.  The CIO/CTO is under a lot of pressure to make as much data as possible to as many people as possible.  The is for ease of use from within the organization and for customers and business partners.  The CISO is on the other end of the spectrum as they are usually trying to limit as much information as possible and put up barriers to many of those same users/customers/partners.  As an extreme example (and not realistic but I'm just trying to make a point), if they could get away with it many CIO/CTOs would make everyone administrators and have every firewall rule any-any.  If they could get away with it, many CISOs would take scissors to every Cat-5 cable they could reach and pour cement over the firewalls.  With this in mind, when the CISO reports to the CIO/CTO, they are often trumped and their suggestions shot down.  Nobody thought this was a big deal until companies started losing millions of dollars in data and getting fined for not being in compliance with regulations.  To break this conflict of interest the CISO spot is being moved under the finance and risk management area of the organization structure.