In Depth
Bob Moore Knows How Not to Get Fired
Remember: Once you have a security leadership job, it's the little things that help you keep it.
By Scott Berinato
In either case, peer executives will quickly start to expect nothing more from you, and you'll turn into a perfectly fine middle manager with no executive clout, or you'll be let go.
Says Coughlin, "The guys who are admired in this profession are at ease communicating in a business language and environment."
Oftentimes that means using, uh, you know, presentations and stuff.
Adapt to Your Industry
Even Bob Moore, with two decades of impressive credentials, felt "angst" taking the job at Merck. Why? "I was moving to a new industry where I didn't have knowledge and breadth of experience I needed," he says. "I came from oil and gas, which you can steal, but you can't counterfeit. Which is what product security at Merck is about: protecting against counterfeiting. I needed to get up the learning curve quickly." In other words, security is contextual, and you had better know what context you're operating in before you start applying policy and so forth.
Coughlin had a similar experience at Wyeth. "You might have scientists who cheat on drug orders and people who take bribes from vendors here, and cheating and bribes are no different challenges than you might face in a financial services company," he says. "What is unique is the context; biotech is an environment which is like college. It's an academic, campus atmosphere, so I'm not going to secure it the same way I would a financial services company."
Serve Milk and Cookies in Blue Jeans
This odd directive is a composite of two techniques Northcutt experienced at the Navy. First, he held regular sessions, open to anyone, where he would spend a half hour explaining some technology to whoever wanted to know more about it. (It didn't need to be limited to technology. A CSO with broader responsibility could spend a session talking about, say, a "clean desk policy keeping sensitive documents from prying eyes.) Northcutt served milk and cookies at these informal awareness sessions.
"You have to understand it was a hostile environment because the security officer there before me treated everyone like, Show me your plan and I'll tell you what's wrong with it. I mean it was overt hostility. Getting fired would have been easy," Northcutt says. The awareness sessions made him less fireable because "people realized security had a clue and we cared about the same things they did."
Or maybe it was the free milk and cookies.
The blue jeans thing, Northcutt says, comes from another former manager of his who, every Friday at 2:30 p.m., set aside the rest of the day to learn something technical. The manager, a buttoned-down type, called it "blue jeans day" even though he always wore business casual and kept a jacket and tie handy.
security jobs
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- FISMA Prescriptive Guide
- The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164
- Beyond PCI Checklists: Securing Cardholder Data with Tripwire's Enhanced File Integrity Monitoring
- IDC White Paper: CCM for IT Compliance and Risk Management
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
