New CSO Bill Hancock found his security team's reputation summarized, symbolically, in the contents of a locked closet. He had been CSO for less than a week when he discovered the dirty little secret. A routine tour of the security facilities at Exodus (now the U.S. base of Cable & Wireless) in Santa Clara, Calif., turned up the closet. When Hancock opened the door, he saw 45 computers stacked high in a haphazard pile.
"What the hell is all this stuff?" he asked. Quite matter-of-factly, a security staffer informed him they were computers that had been hacked. Struggling to understand how that had led to this leaning tower of machines, Hancock asked, "Well, who do they belong to?" When that question seemed to stump the staffer, the magnitude of the problem began to dawn on Hancock. Not only had the previous CSO impounded computers instead of fixing them, the security team didn't even know where the computers came from or whether replacements had been issued to their users. The message this sent to the rest of the company was reminiscent of Jerry Seinfeld's despotic Soup Nazi: Been hacked? No computer for you!
As Hancock discovered at Exodus, the top security role in many companies is in desperate need of a reputation makeover. Nowhere is this more apparent than in the relationships between CSOs and other line-of-business executives. Though they are relative newcomers to the executive lineup (and in many cases are still waiting to get in the game), CSOs will achieve success based on the strength of their peer executive relationships. Why? Because in order to effectively execute security programs, CSOs will depend almost entirely on winning access to and cooperation from their fellow executives.
Naturally, a negative image can get in the way. "Security tyrant" is just one of the unfortunate sobriquets CSOs have earned. Business executives complain that CSOs kill projects with their unreasonable and expensive technology demands. They are "techies" who make no effort to understand or relate to the business. They speak in a foreign-sounding language, peppered with terms like buffer overflow and packet filtering. Their duties seem to consist largely of getting in the way of business rather than solving its problems. When the position devolves into stereotypes, the CSO role risks becoming marginalized. Other key executives will begin to engage in that time-tested business strategy, the end run.
In order to build strong partnerships, says Hancock, you need to deflate criticisms and communicate well with other top executives. "If you can't explain to people how to solve a problem, they'll never come back to you again," he says. "They'll do everything to work around you rather than work with you."
We talked to some top CSOs to glean their best practices for making these critical executive partnerships work.1 Don't Just Say NoAfter discovering his predecessor's punitive approach to corporate security, Hancock realized that he needed to rebuild the image of the Exodus CSO into that of a kinder, gentler team player. His first step was to track down the owners of those 45 confiscated computers. Many of them had in fact been computerless. Hancock gave the computers back, got them cleaned up, loaded them with new security tools, and briefed their owners on how to keep from being hacked again. Says Hancock, "Pretty soon people who once had fear and loathing in their hearts for the security guys began to say, These are really nice people. They're trying to help me be secure and will explain to me what's going on." Hancock's rule, which has been effective with employees and executives alike, is "Never tell people no. Tell them how." That helps create the perception that security is an ally rather than an enemy.
In fact, changing perceptions requires that CSOs curtail all kinds of negative communication as much as possible. For example, instead of waging an endless battle to stamp out employees' bad habits, look for technology solutions that will compensate for them. In practice that means
CSOs should also consider exploiting executive partnerships as a way to off-load some of the dirty work of communicating with the company about security. Why not harness HR's expertise in policy creation and dissemination to push new security policies out to employees? Internal audit groups can likewise be useful partners when departments disregard some company policy and need to be whipped into shape.
Giving your business partners both a voice and a choice in security decisions is another way to foster strong partnerships. If CSOs talk in the lexicon of risk and reward, and provide an analytical basis for decision making, they can actually leave final decisions to the business owners closest to the issues. This creates buy-in within the business groups because they are ultimately making decisions rather than being dictated to by an outsider.
At Merrill Lynch, Chief Information Security and Privacy Officer David Bauer believes in laying out the options for a business team: the security risks, the possible solutions and the benefits or drawbacks of each choice. "Too often, security groups come back with [only] one answer, and people wonder if you analyzed at all," he says.
That said, there are of course times when an outright "no" must be firmly articulated. Anticipating that necessity, CSOs will find that that word commands much more respect if they use it sparingly rather than reflexively. Otherwise, CSOs who constantly shoot down projects as a menace to corporate security may not be taken seriously when real dangers arise. It's a balancing act that Hancock describes as a benevolent dictatorship. Things run much more smoothly if other people take an active part in the decision-making process. But when a serious security issue puts the company at risk, the CSO has to step up and make the call.2 Know Thy BusinessWhen Christiansen came to GM from Visa, where he was also head of security, he found the transition jolting. "Walking into a manufacturing corporation from financial services was like being the 13th warrior," says Christiansen, referring to the 1999 film in which Antonio Banderas plays a cultured Arab forced to fight alongside barbaric Vikings (while the movie was a flop, it might make appropriate viewing for any CSO who's ever felt like a fish out of water in the executive pool). "You speak a different language, look different and dress different." So Christiansen did two things: He signed up for classes on the auto industry, and he made a point of doing a lot more listening than talking.
In learning about GM, Christiansen had to glean the intricacies of four very different business areas: manufacturing, GMAC (GM's financial services division), OnStar (the onboard satellite communications system) and the defense industry, with which GM works closely. But immersing himself in the business was a necessary step for Christiansen to be able to communicate with the company's business line executives. "Everything I bring them is cost additive, and that can create a natural conflict," says Christiansen. "I need to be able to show the bang for the buck, the ROI per dollar and how I'm going to help them solve business problems." None of that can be achieved without a keen understanding of the business and the recognition that the CSO's role is to enable business success in an appropriately secure context.
To combat the perception that security is divorced from the business world, Bill Boni, Motorola's chief information security officer, has even gone so far as to shun the usual moniker "IT security" in favor of the more business-friendly title "information protection." The goal is to position the department as the protector of information assets in all forms, whether it's customer data housed in a server or confidential contracts in a sheaf of papers.
Talking in business terms with executives can also be a tremendous asset in advancing the CSO's agenda, which is often bogged down by the perception that it's too technical for business executives to understand or to be bothered with. "I've seen too many information security practitioners fall short in their role because what they really love is the technology," says Boni. "They open with the technology dimension, go into technical detail, and by the time they get to the part where the executives' insight, experience and judgment can be engaged, the executives are already disengaged. They conclude that security is at a level that's inappropriate for their consideration."
The better tack, according to Boni, consists of four key elements: Understand the business, understand what makes it successful, identify the factors that can put that success at risk, and then find ways of managing that risk through technical, operational or procedural safeguards. Use that knowledge for your conversations with business executives.
Working with business executives is easier when you also arm yourself with knowledge of the initiatives that are under way in their business unit and the challenges each executive faces. It's helpful to have a network of sources you can draw upon to discuss threats, current projects, and any concerns or feedback that business units may have about security usability. These individuals can also act as the CSO's evangelists throughout the enterprise, spreading the word about new policies and threats.3 Practice Your DeliveryAs anyone who's ever been to a security conference knows, speeches about security can be deadly dull. Faced with the challenge of having to communicate about security to large groups both inside and outside his company, Hancock took the unusual step of enrolling himself in a stand-up comedy course to improve his communication skills. The final project for the class was to do an actual stand-up routine at The Improv, New York City's renowned comedy club, on a Friday night. "It was one of the most horrifying experiences I think I've ever been through," says Hancock. "You get up in front of an audience, half the people there are probably inebriated in some fashion, and you've got to communicate what you have to say very quickly, very succinctly and to a whole bunch of people that don't know you from nobody." The lesson here is not that CSOs need to be honing their comic routines, but rather that life is full of tough audiences. When dealing with a weighty topic like security, it's important to focus on how you communicate as well as what you communicate.
When Hancock joined Exodus, the relationship between security and finance was rocky. Finance folks viewed themselves as the guardians of the purse and Hancock's group as upstarts. Assiduously, Hancock started getting finance involved in security decisions so that they could learn the factors on which decisions were being made and thus understand the reasoning behind them. It was a carefully tailored education process that paid dividends for both sides. Later, when Hancock had to buy 800 firewalls, the finance department negotiated a leasing arrangement that saved his group a lot of money.
CSOs looking for someone with whom to commiserate over the difficulty of getting business executives to pay heed to seemingly arcane policies and procedures could do worse than hoist a few with the corporate counsel. Kingsley Wallman, vice president and associate general counsel with Exodus, notes parallels between the communication challenges faced by the CSO and those facing the legal department. Both groups are perceived as having been built around highly specialized disciplines that seem distant from the realities of business. And both call for the ability to communicate and interpret their fields to sometimes disinterested executives.
Wallman suggests that because CSOs must often communicate about conceptual and highly technical topics, they should make an effort to relate to their fellow executives in person. "A CSO
And it's not enough to just go blabbing horror stories. What's needed is to put things in context. "It's translating threats into the risk to business and communicating that you're working with them, not against them, to come up with solutions," says Rick Lacafta, chief information security officer with Travelers Insurance.
Like an external security vendor, the CSO needs to market his group's services across the enterprise