In Depth
Bob Moore Knows How Not to Get Fired
Remember: Once you have a security leadership job, it's the little things that help you keep it.
By Scott Berinato
The CSO who spends time studying his environment, says Lenzner, will hear what's said but also hear what's implied. "The CEO will say, We want you to do X, and the good CSO will know that means, We want you to do X, but if you alienate those three divisions of the company over there in the process, you'll win a battle and lose the war. And they'll know when to compromise, adapt."
Then, Do an Audit
A corporatewide security assessment sets your bearings. Much of what you do afterward will be a result of this first major initiative. From this audit, you need a baseline of the company's security status. "Baseline, baseline, baseline," Stephen Northcutt says. "After I was hired but before I even walked into the building at BMDO (Ballistic Missile Defense Organization, now the National Missile Defense), I ordered an independent audit. Why? How am I going to say later that I made 2 percent progress without a baseline?"
You might as well know now that, to stay in your job, you'll need to provide your peer executives and the board with more metrics than you ever imagined. Probably more than you have.
OK. Those of you with an IT heritage are now free to complain about how difficult it is to create meaningful security metrics. And those of you from a physical security background are allowed to mourn the loss of those days when no one asked you for them. Too bad for both of you.
"For a long time, security wasn't challenged on metrics. We were different from the rest of the workforce, kind of mystical," says Ray Humphrey, former CSO of Digital. "Recently, I see more emphasis than ever on providing the executive team with benchmarks and data. I happen to think that's excellent."
The hard truth, however, is that the degree of success a CSO can have will largely rest on his ability to provide metrics. "They'll need to move security from the boiler room to the boardroom," says Humphrey.
Next, Pluck the Low-Hanging Fruit
Here's an ancillary benefit of that first major security audit: It will, more often than not, expose one or two gaping holes in corporate security architecture and policy. Fix them right away, and make a big deal out of it.
"Financially, the only reason a CEO will call you is if he discovers losses or suffers an event," says T. Sean McCreary, a risk management specialist at The Motorists Insurance Group who has held security and safety management positions at prisons. Patch up a gaping hole at little or no cost, and you're immediately a minor hero, McCreary says. "You've done much better than coming in and asking for a lot of money to implement some overarching new plan."
security jobs
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- FISMA Prescriptive Guide
- The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164
- Beyond PCI Checklists: Securing Cardholder Data with Tripwire's Enhanced File Integrity Monitoring
- IDC White Paper: CCM for IT Compliance and Risk Management
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
