Basics
New Security Leadership: The Basics
Maintaining the right level of boardroom and employee security awareness is a consequence of leadership. And more effective ideas and tactics are replacing the old, reactive security leadership paradigm. CSO looks at what's Out and what's In.
By Derek Slater
A not-so-secret secret: Many executives think security chiefs have a bad attitude. And we're not just talking about information security officers. Traditional, corporate security executives are saddled with a bad rep. It's time to learn what it means when a CEO, after eliminating the CSO or CISO, says, "There was just something about him that didn't fit with the organization."
The physical security chief, according to stereotype, is a rigid and dogmatic "top cop" who has an "arrest" mentality and is a no-man as opposed to a yes-man.
The information security executive comes across as an arrogant know-it-all who is whiny, defensive, uncooperative and doesn't try to work with others because, how could anyone but he possibly understand the technical challenges he faces?
Not valid? So what. Unfair? Stop whining. In fact, the security executive who raises a stink because of these preconceptions actually feeds the preconceptions. "We had one CSO candidate for a Fortune 500 not get the job," says recruiter Tracy Lenzner. "And he-I can hardly explain it, but it was so telling-lashed out about how the company didn't know anything. He was angry. He was like a child that didn't get his way."
(Want to learn more about moving past these stereotypes? Read our special Image issue, starting with the introduction, "Show Time for Security.")
Former CISO Stephen Northcutt believes the attitude comes from the likelihood that many candidates for CISO positions are underqualified. "They are stressed out, secretive, edgy and defensive because they don't have the understanding or mastery of tools they need," he says.
As a result, those candidates fall back on old habits such as - always using highly obscure explanations of technology, or aways having a negative reaction to any risky or unorthodox business propositions. Those forms of communication don't fly in the boardroom.
IN: Business language and communication skills
When James Christiansen came to GM from Visa, where he was also head of security, he found the move from financial services to manufacturing to be a jolting transition. "You speak a different language, you look different and you dress different." So Christiansen did two things: He signed up for classes on the workings of the auto industry, and he made a point of doing a lot more listening than talking.
In learning about GM, Christiansen had to glean the intricacies of four very different business areas: manufacturing, GMAC (GM's financial services division), OnStar (the onboard satellite communications system) and the defense industry, with which GM works closely. But immersing himself in the business was a necessary step for Christiansen to be able to communicate with the company's business line executives. "Everything I bring them is cost additive, and that can create a natural conflict," says Christiansen. "I need to be able to show the bang for the buck, the ROI per dollar and how I'm going to help them solve business problems." None of that can be achieved without a keen understanding of the business and the recognition that the CSO's role is to enable business success in an appropriately secure context. To combat the perception that security is divorced from the business world, Bill Boni, Motorola's CISO, has even gone so far as to shun the usual moniker, "IT security" in favor of the more business-friendly title, "information protection." The goal is to position the department as the protector of information assets in all forms, whether it's customer data housed in a server or confidential contracts in a sheaf of papers.
Talking in business terms with executives can also be a tremendous asset in advancing the CSO's agenda, which is often bogged down by the perception that it's too technical for business executives to understand. "I've seen too many information security practitioners fall short in their role because what they really love is the technology," says Boni. "They open with the technology dimension, go into technical detail, and by the time they get to the part where the executives' insight, experience and judgment can be engaged, the executives are already disengaged. The executives conclude that security is at a level that's inappropriate for their consideration."
As the old saw goes: It's not just what you say, but how you say it. So practice your delivery. As anyone who's ever been to a security conference knows, speeches about security can be deadly dull. Faced with the challenge of having to communicate about security to large groups both inside and outside his company, Bill Hancock, CSO of Exodus (which later became the US base of Cable & Wireless), took the unusual step of enrolling himself in a stand-up comedy course to improve his communication skills. The final project for the class was a performance of an actual stand-up routine at The Improv, New York City's renowned comedy club, on a Friday night. "It was one of the most horrifying experiences I think I've ever been through," says Hancock. "You get up in front of an audience, half the people there are probably inebriated in some fashion, and you've got to communicate what you have to say very quickly, very succinctly and to a whole bunch of people that don't know you from nobody." The lesson here is not that CSOs need to be honing their comic routines, but rather that life is full of tough audiences. When dealing with a weighty topic like security, it's important to focus on how you communicate as well as what you communicate.
Building and maintaining strong relationships with business executives and their groups requires the CSO to assume a number of different guises: educator, strategist, negotiator, interpreter and, sometimes, disciplinarian. Oracle's CSO Mary Ann Davidson has one last morsel of advice for CSOs interested in smoothing their way with other executives and the company at large. "People ought to be thanked for doing their job more often," she says, noting that CSOs will find more cooperation if they ask for it politely and show their appreciation, instead of barking out orders and throwing their weight around. "Business is personal," Davidson says. "It's not being manipulative, it's just that you catch more flies with honey."
Data Center Directions Virtual Conference
Attend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.
Safeguarding the New Currency of Business
Watch this webcast to learn how your organization can leverage PricewaterhouseCoopers' Global Information Security Survey 2008, the world's largest survey on privacy and infosec practices.
- The Evolution of Application Security - Reducing Risk in Your Organization
- View Gartner Video: Best Practices on Web Application Security
- Safeguarding the New Currency of Business
- Data Protection: Challenges for the Traveling User
- Revolutionizing Endpoint Security with a Single Agent
- Make Compliance Regulations an Ally Not an Enemy
- Optimizing Infrastructure Control
- IT Service Management: Metrics That Matter
- Effective Security with a Continuous Approach to ISO 27001
- File Integrity Monitoring: Secure Your Virtual and Physical IT Environments
- Configuration Assessment: Choosing the Right Solution
- Understanding Data Location is Imperative for Data Loss Prevention
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partner
CSO Executive Seminar on Application Security
-
January 29, 2009New York, New YorkRegister now »
-
February 25, 2009San Francisco, CaliforniaRegister now »
(ISC)2 members can earn up to 6 CPE Credits
Reference priority code ONLINE and attend this program as our guest — that's a $295 savings!
