There seems to be this underlying disdain for ‘non-technical’ CISSPs in this forum. Let me clear some things up right quick. There’s no occupation more formidable than the military and the IC where information security is most at work. The technical end of it is important, but the GRC end of it is even MORE important in my opinion. We as security professionals must understand that there are various domains of work and all of them must support the organization’s strategic objectives. Absent supporting a business’ strategic objectives, what do you have really?

Learning a piece of hardware is very linear. There’s no wow factor in implementing security on a firewall or router – a person of marginal intelligence should be able to do that. Now tying all of the security functionality with policies that supports the business’s strategic goals, now that’s where the CISSP earns their money. When I were an enlisted soldier, I thought less of the officers as they strategized on GRC. When I became an officer, I certainly did not think less of the technicians that I managed. Everyone performs in their domains and areas of responsibility. There’s no such thing as technician being ‘better’ or executives being ‘better’ in either case. It’s more important that the technicians understand the governance than for the CIO, CISO or any other high-ranking executive to understand how to patch a server. The executive-level person should understand their requirements; which turns me back to one of my other posts.