In Depth

How you fund a CSO

Genzyme's CFO-An exec who gets it; Finding security equilibrium; Are our harbors safe?; Better budgeting; What employees who travel need from a CSO; Protecting your company's intellectual property; A true story of employee termination

By CSO Contributor

Page 9

Charlie (not his real name) was more than simply a highly paid systems operator. He had been hired as a "security architect"the one person who knew the ins and outs of the firewalls, intrusion detection systems, backup auditing devices for the regulators, and even the desktop antivirus system. But that, it turned out, was the problem: Nobody else on staff really knew what Charlie was doing.

Charlie drifted in to the office at 3 in the afternoon; he often stayed until after midnight. He occasionally picked fights with the cleaning staff; he went ballistic if anybody touched the papers on his desk. Some rationalized that he was just hypervigilant about his privacy, which was a good feature to have in a security director. But one day he threatened a coworker"Be careful, or you might discover that all of your files have been corrupted"and at that point we knew we had misjudged the situation. We had a problem on our hands.

The address that Charlie had given on his employment applicationthe address where we sent his paychecksturned out to be a mailbox at Mail Boxes Etc. We went back and checked his referencesfinallyand only one could verify his former employment but said they couldn't remember him personally. The other two companies were no longer in business.

A standard way to fire somebody is to have security meet him at the front door and escort him to his manager's office while the security team goes to work. Over the next 10 minutes, the worker's passwords are reset, his account locked and his card pass deactivated. The employee would then be escorted to his desk to watch while his belongings are inspected and packedafter all, you don't want a terminated employee to "accidentally" pack up something that's company-confidential. Finally, he'd be escorted to his car. With two weeks' notice, he'd draw severance pay from his home.

Former employees can do a tremendous amount of damage because they know all of your secrets, and their anger at being fired might cloud their thinking. When one Silicon Valley computer manufacturer laid off several hundred employees a few years ago, it turned one of its buildings into an "employee relocation center." Employees were given desks, chairs, working telephone lines and access to a computer network located outside the corporate firewall. The setup helped the employees make the best of a bad situation; they could job hunt while appearing to still be employed, yet they posed no danger to the company's ongoing operations.