In Depth
Bob Moore Knows How Not to Get Fired
Remember: Once you have a security leadership job, it's the little things that help you keep it.
By Scott Berinato
In both cases, you're cheating a little bit. But it can be argued that if bluffing and opportunism lower risks to the company, then you cheated on the price but not the goods. You'll have to work out the Machiavellian morals yourself.
Metrics, Metrics, Metrics
Finally, look ahead a little bit. If you've prioritized your to-do list, you've already started looking ahead, in a way, by putting off some projects in favor of others. But there are two other tips you should start thinking about.
We know it's hard. We know it takes time and money, but eventually, security will be completely metrics-driven. So you need to develop, cull and otherwise employ risk analysis metrics and benchmarks. It will satisfy the CEO's and CFO's insatiable appetite for proof of your worth. Paller at SANS believes you should devote considerably more financial resources to developing benchmarks than you do today.
"The ISO is going to the CEO saying there's a chance something bad, and possibly something embarrassing, could happen. But how much of a chance, the ISO doesn't know," Paller says. "And if he spends this kind of money, he can reduce the risk but by how much, he doesn't know. It's simply not enough data. Every other C-level executive does better than that and takes on the responsibility for defining the risk. Here, the CISO is putting the responsibility on the CEO. They don't want it, and eventually they won't take it."
Create the X-Year Plan
Even as you implement all of the above, you should have an overarching vision for security. Genzyme's Kent had a two-year plan for integrating security into his company's culture. Moore had to build security from the ground up at Merck, and his was a five-year plan.
Moore says that, almost five years into his job, the plan is nearly fulfilled. Merck hadn't employed a security executive before Moore arrived. Today, though, his security plan is comprehensive enough that he talks about coping with sudden and serious security issues like SARS (severe acute respiratory syndrome) even as it actively spreads overseas. He explains Merck's process for dealing with SARS with respect to its employees, in a structured way, in great detail, and, as always, calmly and without the slightest hint of panic.
You don't get the sense Merck's going to let him go any time soon.
Other stories by Scott Berinato
security jobs
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- FISMA Prescriptive Guide
- The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164
- Beyond PCI Checklists: Securing Cardholder Data with Tripwire's Enhanced File Integrity Monitoring
- IDC White Paper: CCM for IT Compliance and Risk Management
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
