Bob Moore Knows How Not to Get Fired

Remember: Once you have a security leadership job, it's the little things that help you keep it.

Nearly 30 years of experience and four jobs in corporate security, including his current post as executive director of global security at Merck, and not once has Moore been let go, laid off, fired or otherwise left to "pursue other interests," as the transparent euphemism goes.

He attributes his perfect record to the kinds of things you'll find in all the management and leadership books: honesty, confidence, good staffing, experience. But then he backs it up. He demonstrates how the dog wags the tail, not vice versa. He hasn't been fired, in part, because of his credibility. Sounds nice. But then Moore explains in large block paragraphs how he gained credibility—by reporting to legal counsel, for one. And by creating global security policies in which the most detailed section is not on what employees can and cannot do, but on the ethical guidelines for his own security team.

"He is what I'd call the example of a CSO who's a leader and who will thrive," says Tracy Lenzner, CEO of the LenznerGroup, an executive recruitment company that places CSOs and CISOs.

Not all of you will be as lucky or as smart as Bob Moore. In fact, the reason we're writing this story now, right after you learned how to get hired, is because there is also an epidemic of security leader firings going on. That's especially true in the information security ranks. Companies such as Merrill Lynch and Fidelity have eschewed their information security officers. And R.A. Vernon, the CISO for Reuters America, was interviewed for this issue because of his wealth of experience and because he directly contributed to his company's revenue stream. Before we finished, he was let go.

The statistics show that most of you are not like Bob Moore. You are young in your job or the first to hold an executive security position at your company, or both (see charts from our exclusive survey results, Page 46). Many of you are fulfilling a vague dictum from the board to get serious about security because of 9/11, or because of the continuing flow of computer attacks, or because of war. There are plenty of reasons to create a security function. Generally, though, it's done without much notion of what the function should be (never mind a practical job description).

All of that combined with a penny-pinching economy, Lenzner says, makes many of you eminently fireable. If other executives perceive little or no valueor even negative valuefrom what you're doing, you'll be gone in a New York minute.

The good news is that some of the tips that helped you get the job will also help you keep the job. But here's even more advice, from successful CSOs and ISOs in the field, on how to make yourself truly indispensible so that, one day, you too can rightfully brag like Bob Moore can today.

Easy Is Good

Overall, not getting fired is not so easy for security executives. After all, theirs is a job that, when done well, leads to...well, nothing. Sales executives can show higher sales and not get fired. Accounting executives can show lower expenses and not get fired. But security executives need, literally, to demonstrate that their spending led to nothing and that the company should keep spending money for nothing. Now, that's a talent that requires exceptional skill!

Having said that, you can always start by grabbing for the low-hanging fruit—the easy tasks that demonstrate some of your value now. We're not suggesting that such tasks are the most important steps for you to take, just the first ones. And that is an especially good place to start if you happen to be the company's first security executive. You'll need that "now" payoff that the easy win provides, since there's a fairly good chance your executive board created the CSO position with only a vague sense of need—and with absolutely no good sense of the role. So if the board doesn't see payoff soon, it's likely to lose interest and try to kill the position, or, as it thinks of it, reduce the expenditure.

The easy (and relatively low-cost) first steps that follow will quickly give you purchase, and at the same time help your executive peers know, now, that you're valuable.

First, Do Nothing (But Observe)

Pick your metaphor—survey the environment, do reconnaissance, diagnose the patient. The point is this: A good portion of a new CSO's time should be dedicated to figuring out the corporate culture and how to work (in) it. If you don't, you'll probably lose your job.

Lenzner has seen it happen too many times. "When you go into an organization, you are probationary, no matter what level you're at," she says. "We've watched people go in and start firing, changing policy wholesale, messing with staff—and all before they even know where they are. All before they even have a clear understanding of how the company works."

Conversely, she says, some security executives learn to go into a situation without a clear understanding, yet they thrive. "They take the time to learn the nuances," Lenzner says, "and they find the silent players and learn the politics."

The CSO who spends time studying his environment, says Lenzner, will hear what's said but also hear what's implied. "The CEO will say, We want you to do X, and the good CSO will know that means, We want you to do X, but if you alienate those three divisions of the company over there in the process, you'll win a battle and lose the war. And they'll know when to compromise, adapt."

Then, Do an Audit

A corporatewide security assessment sets your bearings. Much of what you do afterward will be a result of this first major initiative. From this audit, you need a baseline of the company's security status. "Baseline, baseline, baseline," Stephen Northcutt says. "After I was hired but before I even walked into the building at BMDO (Ballistic Missile Defense Organization, now the National Missile Defense), I ordered an independent audit. Why? How am I going to say later that I made 2 percent progress without a baseline?"

You might as well know now that, to stay in your job, you'll need to provide your peer executives and the board with more metrics than you ever imagined. Probably more than you have.

OK. Those of you with an IT heritage are now free to complain about how difficult it is to create meaningful security metrics. And those of you from a physical security background are allowed to mourn the loss of those days when no one asked you for them. Too bad for both of you.

"For a long time, security wasn't challenged on metrics. We were different from the rest of the workforce, kind of mystical," says Ray Humphrey, former CSO of Digital. "Recently, I see more emphasis than ever on providing the executive team with benchmarks and data. I happen to think that's excellent."

The hard truth, however, is that the degree of success a CSO can have will largely rest on his ability to provide metrics. "They'll need to move security from the boiler room to the boardroom," says Humphrey.

Next, Pluck the Low-Hanging Fruit

Here's an ancillary benefit of that first major security audit: It will, more often than not, expose one or two gaping holes in corporate security architecture and policy. Fix them right away, and make a big deal out of it.

"Financially, the only reason a CEO will call you is if he discovers losses or suffers an event," says T. Sean McCreary, a risk management specialist at The Motorists Insurance Group who has held security and safety management positions at prisons. Patch up a gaping hole at little or no cost, and you're immediately a minor hero, McCreary says. "You've done much better than coming in and asking for a lot of money to implement some overarching new plan."

Soon after arriving at biotech company Genzyme, CSO Dave Kent learned it had 13 discrete building access systems and that dozens of employees were authorized to delegate access privileges (see The Architect). Kent consolidated down to one system and authorized only a handful of employees to give access privileges (a more secure practice, anyway). Thing is, he also had the overarching new plan that would require tons of resources, but he took the easy win first and used it to build his case for the big picture effort.

Eight years later he's still CSO.

Learn How to Use, Uh, Whaddya Call It?

So you've got a few easy wins under your belt. Now start building a foundation for long-term success. These concrete tips focus on further dousing that mystical aura of security that Humphrey talked about and replacing it with, well, a fiscal aura.

Mike Coughlin, CSO of pharmaceutical company Wyeth, came up through the ranks like many CSOsmore from the law enforcement side of things than from the business side. But Coughlin says that today, an aspiring security executive who studies criminal justice is "having his or her education robbed. I want accounting, management, even English and history," he says. "You used to be able to get away with it. We were in the in-house police force. But no one who wants to keep his CSO job ignores business anymore."Coughlin says he needs to improve his own business acumen. You get the sense he's exaggerating some--peers speak highly of him--but then again he also says one business skill CSOs need is "the ability to make attractive, uh, what do you call them?, the, uh, presentations. The medium's the message. The ability to be slick, it gets senior management on your side."

PowerPoint is good. Humphrey says to learn budgeting and strategic planning. Variance analysis. "A good security executive," he says emphatically, "can demonstrate contributions to the bottom line, even though their job means taking money from the company and they'll never have irrefutable proof of their effectiveness."

It seems like pretty obvious advice, to get business savvy, but it's worth rehashing. Lenzner says she sees candidates who lose sight of this in uncertain situations (such as the one many of you are inbeing a new CSO or your company's first one). Those from the physical security world slip into a dogmatic enforcement mentality. And those from the IT world will likewise slump back into a technical posture.

In either case, peer executives will quickly start to expect nothing more from you, and you'll turn into a perfectly fine middle manager with no executive clout, or you'll be let go.

Says Coughlin, "The guys who are admired in this profession are at ease communicating in a business language and environment."

Oftentimes that means using, uh, you know, presentations and stuff.

Adapt to Your Industry

Even Bob Moore, with two decades of impressive credentials, felt "angst" taking the job at Merck. Why? "I was moving to a new industry where I didn't have knowledge and breadth of experience I needed," he says. "I came from oil and gas, which you can steal, but you can't counterfeit. Which is what product security at Merck is about: protecting against counterfeiting. I needed to get up the learning curve quickly." In other words, security is contextual, and you had better know what context you're operating in before you start applying policy and so forth.

Coughlin had a similar experience at Wyeth. "You might have scientists who cheat on drug orders and people who take bribes from vendors here, and cheating and bribes are no different challenges than you might face in a financial services company," he says. "What is unique is the context; biotech is an environment which is like college. It's an academic, campus atmosphere, so I'm not going to secure it the same way I would a financial services company."

Serve Milk and Cookies in Blue Jeans

This odd directive is a composite of two techniques Northcutt experienced at the Navy. First, he held regular sessions, open to anyone, where he would spend a half hour explaining some technology to whoever wanted to know more about it. (It didn't need to be limited to technology. A CSO with broader responsibility could spend a session talking about, say, a "clean desk policy keeping sensitive documents from prying eyes.) Northcutt served milk and cookies at these informal awareness sessions.

"You have to understand it was a hostile environment because the security officer there before me treated everyone like, Show me your plan and I'll tell you what's wrong with it. I mean it was overt hostility. Getting fired would have been easy," Northcutt says. The awareness sessions made him less fireable because "people realized security had a clue and we cared about the same things they did."

Or maybe it was the free milk and cookies.

The blue jeans thing, Northcutt says, comes from another former manager of his who, every Friday at 2:30 p.m., set aside the rest of the day to learn something technical. The manager, a buttoned-down type, called it "blue jeans day" even though he always wore business casual and kept a jacket and tie handy.

"It was great because he knew enough that, when you needed him to make hard decisions or operate in a crisis, he knew the basic concepts," Northcutt says. "He knew what words to use, and people respected him."

Welcome to the Business Table

This is a two-step process. Step one: Bond with the other suits.

1 2 Page 1
Page 1 of 2
The 10 most powerful cybersecurity companies