In Depth

Sharon O'Bryan: Called to Account

Some security executives see protecting their company's assets as a way to earn a living. ABN Amro's Sharon O'Bryan sees it as her mission.

By Simone Kaplan

Page 2

"I do better under duress," O'Bryan says. "It's like when you go to a restaurant, and you're the only customer there. Ironically, the quality of service is terrible. If you want another cup of coffee, you can't find the waitress because she's off in a corner somewhere smoking. But if the place is busy, your service is better because the waitress has to be on the ball. It's the same with me. When I've got an overwhelming number of things to do, I get all fired up." Which explains how, despite the demands on her time and energy, the atmosphere in O'Bryan's office above the Chicago Loop is amazingly controlled. Amid neatly framed family photos and carefully organized papers, O'Bryan appears to be the essence of level-headed business acumen and IT expertise. Her zest for the job is immediately apparent in her strong handshake and the unwavering eye contact she levels on visitors. She frequently faces the challenge of merging systems from multiple companies that ABN Amro has acquired into her own and making sure they stand up to her rigorous security standards and requirements. "Sometimes I come into work and wonder, Well, what will the company look like today?" she says. Merge AheadO'Bryan heads the technology risk management team, which is known within the company for handling the security side of systems integration quickly and well. If the acquired company's security doesn't meet O'Bryan's standards, she delays hooking it up to ABN Amro's network until it's in compliance. "You can't mix an unprotected system with a trusted network," she says. The process is particularly difficult if the new company's system is dependent on a single software program whose security settings can't be changed. O'Bryan reasons that "if you change their technology in those situations, then you have changed the success of their organization, and there's no cost-benefit to bringing them into the fold." Her solution is simple and circumspect: Segregate unsafe systems. She and her team create an oasis of computers linked to the ABN Amro network. The computers are placed in a secure room, and whenever someone needs to interact with the ABN corporate network, he has to work with the special computers. "If you can't have a shared environment, that's what you have to do," she says.

O'Bryan applies the same determination to every project she faces. Recently, she completed a total reorganization of the security architecture part of the technology risk management group. The overhaul began three years ago, after she joined ABN Amro and discovered that the security organization was all over the map. Literally. "It was a giant pot of stew," she recalls. The security organization was underfunded and understaffed, comprising only 12 people who were scattered throughout other infrastructure groups around the country. When O'Bryan arrived, the company had decided to go forward with a single sign-on technology that would allow network users to access multiple applications after entering a single password. But the North American division's network was a complex patchwork of systems mushed together from frequent mergers and acquisitions, and there were few security standards in place. O'Bryan decided that the technology couldn't support the company's integrated systems and shelved the project. "The technology wasn't quite there yet, and your network environment must be very clean for a project like that to be effective without opening you up to attack," she says.