Security Leadership: 2007 CSO Compass Awards

This year's CSO Compass Award honorees have achieved alignment of security and business goals, through advocacy, active engagement and, in some cases, a sense of humor.

There are many paths to alignment. This year's CSO Compass Award honorees have sought alignment—and found success—through very different means. Their strategies vary from sagely anticipating and preparing for business risks, to humanizing the often austere security function, to advocating metrics and numbers as a common language to bridge the communication gap between business and security leaders. We asked each honoree to share with us his or her thoughts on, experiences with and strategies for achieving alignment.

Metrics Might

George CampbellCurrent position: Managing Partner with the Business Security Advisory Group, a consultancy composed of several former CSOs from global corporations. 2002–2003: president of International Security Management Association1998–2003: ISMA board of directors

1994–2002: CSO, Fidelity Investments

Despite the strides that security organizations have made post-9/11, George Campbell believes that CSOs can still do a better job of communicating their core value to the business. "When it comes to seeing security as really connected to the brand and a fundamental part of the value equation, the corner office still hasn't crossed that bridge."

But surprisingly, Campbell's remedy doesn't depend on getting more face time with the CEO. In fact, he believes that security executives focus too intently on how they are perceived by the board or the CEO to the detriment of building relationships with the many other constituencies they serve throughout the organization. "Whether it's from the top down or the bottom up, you've got to get in their face and understand their business," says Campbell, who is 64. He exhorts CSOs to engage their business colleagues by saying, "Here are the skills we have; where can we contribute to making you more successful?"

Campbell believes that metrics are fundamental tools for CSOs who want to influence policy, effect change and communicate their value to the organization. He recently wrote "Measures and Metrics in Corporate Security: Communicating Business Value," published by the CSO Executive Council, an affiliate of CSO. In the book, Campbell discusses what data one should track and present, how to present it and to whom. He suggests that CSOs need to develop a three-part "dashboard" of metrics: one section for items like a safe and secure workplace that are seen as the direct responsibility of the security department, another for metrics that are unique to their business constituents and one for metrics that are unique to the organization's success. Some need constant monitoring. Others (like internal misconduct cases) develop trends over time.

Security is often seen as a nebulous function with its own obscure language, so metrics can be a tremendous communication tool for bridging the gap with business. For example, if a CSO can go to a business unit and give them the leading indicators that show that they are heading in a risky direction with the vendors they've selected or the people they are hiring—people are getting into trouble more often, there are more business interruptions, more problems with workplace violence—that is a powerful thing, says Campbell. CSOs need to remember that "we don't secure the company, we are facilitators," says Campbell, "and metrics help us tell a story."

Read more at CSOonline: "How to Connect with Metrics" (audio podcast), | "How to Use Metrics" (book excerpt), | "Smackdown" (about CSO role)

Putting People First

Francis D'AddarioCurrent position: Vice President, Partner and Asset Protection for Starbucks Coffee 1997–present: Starbucks

1990–1997: director of loss prevention, Hardee's Food Systems

Francis D'Addario believes that the opportunity for security to be relevant in any business organization lies in its ability to provide what he calls "just-in-time security." When he joined Starbucks in 1997, it was in the wake of the botched robbery attempt at a store in the Georgetown section of Washington, D.C., where three Starbucks employees lost their lives. From his first week on the job, D'Addario and his team were committed to improving safety. They introduced time-lock and time-delay safe lock technology and closed-circuit television surveillance. They built security into new-store designs, by ensuring that would-be robbers could be easily observed by passersby. They track traveler risk and they involved partners and licensees in security-raising efforts.

With more than 12,400 coffeehouses worldwide, security has become a critical component of Starbucks' ability to attract and retain quality employees. "Partners are our number-one priority," says D'Addario, 54. "That's something that is well-prioritized within our [corporate] values, and it's our ability to be an employer of choice that enables us to grasp opportunity."

Through communications and training, Starbucks employees receive constant reminders that security is a priority. Staff undergo workplace violence awareness training, and discuss safety at monthly operational meetings. In larger markets, reminders about anonymous risk reporting appear on biweekly pay statements.

D'Addario's team provides just-in-time security to a brand operating in 35 countries as a retailer, manufacturer and distributor of beverages, food and entertainment. The key, he believes, is to keep up a continuing conversation with business leaders and customers to ensure that the security organization meets their current needs and enables their growth plans. "We have to make sure that the manager of each store or branch or entertainment business has the reliable loss prevention capability to keep people safe and protect profit and loss," says D'Addario. "We have to understand what the risks are to that business, what markets are opening up and what requirements we're going to have to adopt."

The success of Starbucks depends on its ability to find, buy and transport coffee from around the world. Among the risks Starbucks faces is supply chain tampering, and that has led the Starbucks security group to develop standards and technologies to ensure product safety—everything from proliferating ISO28001 standards for container security and authentication methods for trusted agents who handle containers, to technologies that track internal temperatures and humidity to ensure that products arrive in ideal shape for consumption. A global pandemic represents another threat. D'Addario has been working with the crisis management and business continuity groups to formulate a plan that could allow the company to nimbly adjust to business in a contagious environment. The plan would leverage the existing drive-throughs and some storefront locations to create an all-carryout enterprise. "I think the ability to win a seat at the table is to have the continuing conversation for identifying the relevant risk and mitigating it in a relevant and persuasive way that is measurable," says D'Addario. "Then continuously reevaluate what that risk looks like."

Read more at CSOonline: "Where the Metrics Are," | "Job Descriptions"

Call Me Anytime

Deven BhattCurrent position: CSO, Airlines Reporting Corp.2002–2004: Corporate Information Security Manager, Newell Rubbermaid

1990–2002: various positions in security at Frontier Telephone culminating in Manager of Security

For Deven Bhatt, achieving business alignment means taking a very personal approach to his job. Although Airlines Reporting Corp. (ARC) processes $70 billion worth of ticket transactions each year, security was a one-man operation when Bhatt joined in 2004. With limited resources at his disposal, Bhatt learned early on that developing good relationships with employees across the company would be critical to creating a security-conscious culture.

So Bhatt, 49, advertises his availability. When he conducted a mandatory security awareness training program for the company's 450 or so employees, he handed out a brochure that contained his personal cell phone number. (The program covers computer security, ID theft, fraud, business continuity and emergency evacuations.) "I still get calls in the middle of the night," says Bhatt. "That's fine. I really want to show my commitment." He also has an open-door policy to encourage employees and business leaders to bring him problems rather than hide them. "We can always find a middle ground" for a solution, says Bhatt, who adds he is careful never to blame the messenger for sharing information, and he encourages employees to bring up any issue, no matter how trivial it seems.

Now that his department has grown to seven members, Bhatt has deployed his staff to sit within individual business locations to serve as their security points of contact. Initially corporate leaders questioned whether this was necessary, and employees were worried that security was there to spy on them and monitor policy compliance. But Bhatt was able to show that this was a customer service move designed to provide quick results to security-related needs.

Bhatt believes there is a clear value to providing personal attention. He's even willing to play the fool if it enhances security awareness. He put together a Mission Impossible–style spoof film for his security awareness event, with the CEO and other executives as his actors and playing the Inspector Clouseau role himself, complete with pratfalls. Although the film was intended to educate everyone on the need for general security and the Payment Card Industry (PCI) standard for processing credit card data, it had the added bonus of humanizing the security function. Bhatt also offers employees training to help them with physical and computer security at home. "I want people to feel this from their heart, that this is their company, and security is their responsibility," he says.

His approach has paid off with the success of several high-profile projects where failure would have been catastrophic and where employee cooperation was crucial. ARC was the first company in the airline travel industry to get its PCI compliance—a requirement for all merchants and service providers that store, process or transmit credit card data. Bhatt also convinced his CEO and executive board to make supporting security initiatives like these two projects a prerequisite to receiving annual bonuses. ARC completed both the encryption project and awareness training.

Read more at CSOonline: "Winning the Gadget Wars"

Trusted Information Hub

Dan LohrmannCurrent position: CISO, state of Michigan1997: started working for the Michigan state government; Appointed CISO role in May 2002

1985–1997: network engineering positions with ManTech International, Loral Aerospace and the National Security Agency

The state of Michigan may have 55,000 employees, but in many respects it's a small community. "People have been around a long time in state government and you get a reputation," says Dan Lohrmann, Michigan's CISO. "It's very important to be someone that delivers." For that reason, Lohrmann believes that trust is the cornerstone of a well-aligned security organization.

One of his techniques for achieving that trust is to try to "undercommit and overdeliver" when dealing with his state agency counterparts. This strategy is particularly important in state government, where funds are short and legacy systems are plentiful. He makes a point to celebrate security achievements with his own department and the business units that helped make them possible. "Thanking them enhances the image of the security department so they start to think of us as partners instead of this oversight body," says Lohrmann, 43.

For example, Lohrmann's group threw a pizza party for the Department of Information Technology to thank them for helping reduce the number of vulnerabilities on their servers (a milestone in achieving PCI compliance). "By showing our appreciation, it helps to build trust and change the perception of us as always being the ones who say no," Lohrmann says.

Lohrmann also looks for ways to add value beyond the basic services that security is expected to provide, like identity verification and virus protection. By installing Web-filtering technology, he was able to save approximately $700,000 a month in spyware, bandwidth and repair cost avoidance. Because of his background in the NSA and his work with the Department of Homeland Security on behalf of the National Association of State Chief Information Officers (Nascio), Lohrmann has relationships in Washington that he has been able to leverage on behalf of some of his state agency directors. "I've been able to work on issues that were of interest to individual directors, and they really like that I'm helping them conduct business and do their job."

He has been able to share insights from his work at Nascio to help the state's homeland security adviser, Mike McDaniel, and establish processes for a new homeland security intelligence center, where law enforcement, public safety and private-sector participants share information. Lohrmann says he's also been able to help DHS officials in Washington understand state and local homeland security issues.

Lohrmann's efforts to build those trusted relationships have paid dividends. When the Michigan Department of IT (MDIT) recently undertook a Return on Security Investment analysis, the results convinced MDIT's state agency customers to double their IT security spending at a time when the state budget overall has been cut.

1 2 Page 1
Page 1 of 2
7 hot cybersecurity trends (and 2 going cold)