Show Time for Security

Image isn't just about security theater. Projecting the right image helps get the job done.

Closely tied with the CSO's personal image is a second level: how other business executives and their staffs view the security department and its leader. This perception is fundamental to any security awareness program and the key to selling any security initiative to the rest of the business. Michael Assante, CSO of American Electric Power, is candid about the kind of forethought that goes into this transformation. "I knew that image was going to be an important part of being able to have success," says Assante, who two years ago became the first person at AEP to have control over both corporate and information security. "I overthought about everything."

Assante concluded that he needed to distance himself from his military roots and incorporate himself into the business, as the leader of a new department called enterprise risk management. He does part of this through the way he dresses. (See "Secrets of Their Success," Page 26.) But the strategy runs much deeper. "Yes, there's a guard force component," he says of the security department. "Yes, there's a law enforcement component. But I've really worked to drive that out of our image. I make sure that when we talk to folks, we're understanding their business processes. And then, when we sit down to talk about security exposures, we present a strong business case." Assante thinks the approach has worked, because now people ask for his advice on other kinds of risks. If Schmidt is post-geek, then Assante is post-guard.

Finally, the third level of this transformation has to do with the way the corporation as a whole makes security part of its image. This is the endgame, the payoff, and we're beginning to get therebut just barely. So far, in fact, most of the companies that are marketing their security (security vendors aside) are ones that have been forced to, such as Microsoft. (See "Security Sells," Page 46, for more.)

Skeptics could argue that their actions are just lip service. There's an entrenched mistrust in security of things that are done just for lookswhat author Bruce Schneier likes to call "security theater." But we're not talking about doing things because they look good. We're talking about making things look as good as they are.

"Image is 100 percent important," says Schneier, author of Beyond Fear and a prominent observer of the security industry's evolution. "Otherwise you're not listened to; you're not taken seriously; you can't get the budget. If you don't deal with everything around the politics and socialization, you never get to the actual security."