Dealing With an ISO Who's Only So-So

Computerworld - Have you ever watched a so-so movie, eaten at a so-so restaurant or attended a so-so theater production? Such activities are time-fillers, but they don't really add much to your life. I have a very hard time with nonproductive, nonedifying activities. I don't go back to so-so restaurants, and I don't recommend so-so movies or plays. If a book doesn't grab me, I don't finish it. Life is short, and each thing I do needs to mean something and be of value.
So, what happens when you manage a so-so employee? I'm not one to just ignore the problem or give the employee tasks of no great importance just to keep him busy and out of the way. All work should count and help the organization reach its goals.
My problem is an underperforming information security officer (ISO). She doesn't have a technical background, and though she once had supervisory responsibilities, they were taken away because her direct reports were complaining bitterly about her lack of management skills. I'm not sure exactly how she fell into the position of ISO, but I think people in the agency we work for had been wondering what to do with her just when the legislative requirements of the Health Insurance Portability and Accountability Act security rule went into effect and it became necessary to assign someone ISO duties.
As happened within many organizations that were considered "covered entities" under HIPAA, my agency acted without fully understanding the duties of an ISO. I'll get to the basic misunderstanding behind this common mistake later.
I am now realigning the workload among my staff members, and as part of this task, I must take a hard look at the ISO position and make a decision about who should have that responsibility.
The current ISO isn't performing, primarily because she lacks experience and education in the security field. I have tried for half a year to mentor her, offering educational materials and pointing her toward webcasts, seminars and security white papers. It's like trying to teach a foreign language to someone who doesn't have a solid grasp of her native tongue. Her inability to grasp the material is apparently due to a dearth of foundational knowledge regarding networked computing basics (TCP/IP, client/server architecture, LAN/WAN topologies).
The rate of change in networking technologies is challenging to keep up with, even if you do know the basics. For this ISO, it's impossible.
I told the ISO that several other staff members were sorely overloaded but that we had just