In Depth

Security Accountability: The Fault Line

Welcome to a world where projects fail, computers crash and secrets escape...and you don't have to be the fall guy.

By Tom Wailgum

Page 3

Which was a deal-breaker for Dardet. "We were giving them something of valueour information to manage, to support. If somebody stole something from us on the vendor's systems, we needed to know."

So that very large contract, with its very large incentives, and one very large unanswered question, hung in the warm Miami night air as Dardet and his colleagues discussed the particulars over the phone. The vendor's reps waited in a separate room, straining for an answer. And midnight was fast approaching.n n nFor dardet to even play a part in this 11th-hour contract process exemplifies security's rising prominence in corporate America. It wasn't that long ago when security didn't even have a place at the proverbial tableit was more like a seat at the kids' table. But for whatever reason9/11, computer viruses, workplace shootings, terror alerts, warsecurity has finally been invited to dine with the rest of the adults.

"In the past, [business users] might go ahead with a project without consulting us," says Craig Granger, who for the past four years has run the multinational security operations for Delphi, a maker of automotive mobile electronics, components and systems technology. "Security is on the top of the list here now, and our peers in corporate come to us."

While Granger and many other security executives devote a big part of their job to building awareness of security issues, they've also realized, ironically, that raising user knowledge allows the CSO to shift a part of the heavy accountability load to business peers, end users and pretty much anyone else working behind the company logo. "In this climate, everybody has a heightened awareness," Granger says. "Now, more of the security emphasis is on people. It's their responsibility, not just mine."

Mary Ann Davidson, CSO at Oracle, also thinks it's important to share accountability with others in the company. "I don't want to be the policeman," she says. "If people think risk is the security person's job, then I've failed."

How Granger, Davidson and other CSOs raise the corporate security IQ will determine the outcome of today's culture clash. Part of the battle is fought in the fieldpressing the flesh with execs, developing an omnipresent security policy and educating every employee on process management. Granger, for one, speaks at business group meetings and consults with Delphi's executive officers. He attends strategy meetings with top execs and governance board meetings with his vice president and regional and divisional CIOs, and mandates that all new employees take a security course and undergo training.