In Depth

Security Accountability: The Fault Line

Welcome to a world where projects fail, computers crash and secrets escape...and you don't have to be the fall guy.

By Tom Wailgum

Besse is a huge believer in getting to know all facets of the business side. He says he takes on a more consultative role, although he acknowledges that the decision-making part of the accountability equation rests most definitely with the business function head. "At the end of the day, the business manager is the one to make a decision, and he has to have the ability to make those calls," Besse says. That ability comes from CSOs getting on the business executives' agenda to show them how security can help them. "Business units are different from each other, so you have to work with each one," he says. "The people there will eventually begin to understand how security can help them."

When it comes to actually working with your business colleagues, Delphi's Granger cautions that CSOs should not get too technical with their executive brethren, or bog them down in what he calls the nitty-gritty of security. "You need to keep it at a high level," he says. "You have to keep your eyeand theirson the big picture."

Though it's clear that most CSOs would rather not speak of tales of security-gone-horribly-wrong, they're quite capable of talking about what they would do if fingers start pointing and name-calling commenced. They consistently use phrases like "follow-up meetings," "after-the-fact strategy sessions," "future mitigation steps."

But blame? No. These CSOs take the high road when it comes to accountabilityin their brief rise in prominence, they have learned well. "Security is a silent partner. There's not a great deal of bravado," says Nortel's Williams. "We're not here to affix the blame but to fix the process."

• Email
• Print
• Comments
• Digg This
• SlashDot

• New Security Leadership: The Basics