New Security Leadership: The Basics

Maintaining the right level of boardroom and employee security awareness is a consequence of leadership. And more effective ideas and tactics are replacing the old, reactive security leadership paradigm. CSO looks at what's Out and what's In.

September 11 profoundly changed the public perception of national security; the Enron accounting scandal and a rash of similar scams alerted us to widespread deficiencies in corporate governance, accountability and ethics. But every security leader knows that as time passes after any incident - no matter how demonstrative - corporate concern for the issues brought to light by that incident tends to wane.

Maintaining the right level of boardroom and employee awareness (and therefore, frankly, security budget) is a consequence of leadership. And more effective ideas and tactics are replacing the old, reactive security leadership paradigm. Below, CSO looks at what's Out and what's In.


FUD stands for fear, uncertainty and doubt, and it's long been a crutch that security leaders lean on to get the budgets they need. Whether the Board seemed reluctant to spend money on firewalls or on surveillance cameras, the convenient solution was to scare them into funding everything by pulling out an anecdote about What Happened to the Company Down the Road.

In the long run, however, the tactic of exploiting FUD almost always does more damage than good. Security executives and management experts agree that FUD ultimately destroys the security team's credibility. "That [approach] may work once or twice in a true crisis situation where the bad guys have come over the back fence," says Jim Mecsics, vice president of corporate security for Equifax. "But when you approach corporate officers with the tactics of fear, you're walking into a trap. Somebody will eventually say, 'OK, show me where the real [emergency] is,' and then your credibility is shot." FUD is a particularly common tactic in the lower ranks of a security organization, especially among those who haven't learned how to make a data-driven risk management argument. A CSO who doesn't stamp out FUD in his team creates as much of a problem as the CSO who uses it in personal conversations with senior executives.

Mecsics has the stories that prove the point. Just after 9/11, he was working with a government organization that decided it needed to radically increase its manpower to cope with the concerns over terrorist threats. The organization set up a conference, and hastily gathered input from all its field agents to take to the senior leadership. Instead of research and risk analysis, many of the agents' arguments were based on guesswork and were rooted in the fear and uncertainty of Sept. 11. Mecsics says the organization's management started asking questions and quickly saw through the panic the security personnel were creating. The net result was that the security team lost its credibility. In another organization, Mecsics says, senior executives were so frightened by the security group's use of scare tactics that they became obsessed with concerns that the company would be irreparably harmed by a security event. In this case, they lost the ability to look at the issue rationally. "They got worked into such a frenzy that it was like a runaway train," says Mecsics.

FUD also wastes money by not spending it well. When CSOs buy and implement a security initiative based on fear, they'll have a much harder time managing and assessing it based on merit and actual results.

(To learn more, read "The FUD Factor" by Daintry Duffy.)

IN: Metrics and ROSI

Like it or not, the corporation is generally managed by the numbers.

Eventually, security will be almost completely metrics-driven. A reliance on metrics is, after all, the mark of a mature corporate function. Most security executives already need to develop, cull and otherwise employ risk analysis metrics and benchmarks. And experts say those leaders should devote considerably more financial resources to developing benchmarks than they do already.

"The ISO is going to the CEO saying there's a chance something bad, and possibly something embarrassing, could happen," says Alan Paller, director of research at SANS Institute. "But how much of a chance, the ISO doesn't know. And if he spends this kind of money, he can reduce the risk, but by how much he doesn't know. There is simply not enough data. Every other C-level executive does better than that and takes on the responsibility for defining the risk. Here, the CISO is putting the responsibility on the CEO. The CEO doesn't want it, and eventually he won't take it."

So forget FUD, and start learning how to demonstrate the value of your ideas using metrics and, especially, ROSI (return on security investments). This is an approach that infosecurity pros have been slow to adopt, although it is clearly valuable. Economist Frank Bernhard's research, for example, shows about six cents of every revenue dollar is at risk because of a lack of information security, but many companies spend barely a dime of their IT dollar on security.

"I'm not sure why IT tends to disregard these tools," says Bob Jacobson, president of International Security Technology (IST), a private company that consults on matters of security risk assessment. "It's a bit frustrating to keep hearing that you can't do it accurately. That is not true. The tools are there. Nuclear uses them. Pharma uses them. The whole world has used ROI in security for a long time. [CSOs] have an opportunity to make a major contribution in their organization if they have the willingness to learn this."

ROSI is rarely easy. It requires legwork, and lots of it. As you begin, it's helpful to keep in mind that precise measurements are not necessarily the goal. "This is a classic problem that technologists have," says Kevin Soo Hoo, a researcher at the security consultancy @Stake. "They don't understand that you can make rough guesses to work out a problem. We dive into an ROSI study, and the engineers are focused on the minutiae and want to argue for days whether some variable should be .6 or .55. It doesn't matter."

With ROSI, as with all risk assessment, the goal is accuracy, which is not at all the same thing as precision. The point is to provide a set of guiding principles from which you, your CEO and CFO can make more informed decisions about what's acceptable. In other words, the CEO doesn't (or shouldn't) care if a return is precisely $3.13 for every $1 spent or $2.97. He cares that it's accurate to suggest about a 3-to-1 return, and not a 1-to-1 return or, worse, a 1-to-3 return.

(For a more complete explanation, plus formulas and sample ROSI calculations, see "Calculated Risk," by Scott Berinato.)

OUT: Blame games and fall guys

When a breach occurs, the CSO frequently takes the blame. Sometimes, he is fired. What's wrong with that?

In a word, plenty. If you're the fall guy (or if your security group is) for every incident, then chances are good that you've taken the wrong position in your company's security decision-making process. Most common mistake: Setting up the CSO as the one who makes the final call.

(Gavin de Becker, Hollywoods de facto CSO, offers advice on this topic in an interview with Sarah Scalet.)

IN: Risk management and shared accountability

Even on security matters, the final call should not be yours. The final call belongs to the CEO, president, and board of directors - those who are directly accountable for shareholder value.

The right answer to "what is security supposed to do?" (as Paller alluded to in the "Metrics and ROSI" section, above) is this: Security is supposed to educate the business leaders about the threats the organization faces, about the likelihood and consequences of those threats, and about the costs and effectiveness of possible remedies. Then the business leaders make the decisions on acceptable risk.

Craig Granger, head of multinational security for the automotive company Delphi, offers a good case study in raising an organization's security IQ. Part of the battle is fought in the field-pressing the flesh with execs, developing an omnipresent security policy and educating every employee on process management. Granger speaks at business group meetings and consults with Delphi's executive officers. He attends strategy meetings with top execs and governance board meetings with his vice president and regional and divisional CIOs, and he mandates that all new employees take a security course and undergo training.

When Granger first arrived at Delphi, he laid out a charter detailing the differences between his responsibilities and those of corporate.

Granger says his charter, which defined the global security policy at Delphi, was well received. Since then, says Granger, considerable effort has been spent spreading a "strong infosec policy that's published everywhere. Here, people can't say that they aren't aware of the policy," he says. "The charter has greatly enhanced our visibility and security awareness here. They know who we are."

But it's not solely about getting the word out, says Granger. It's how you speak the word and how it's received. Often, it comes down to developing trust with your peers, which lets them, in turn, feel more comfortable shouldering some of the accountability burden.

Process management, with a clearly defined, easy-to-follow set of guidelines for handling security matters, is another way CSOs can manage accountability. Process management can reinforce the fact that security is not a one-group function. Moreover, its linkage to a business context-its embeddedness within enterprise business processes-suggests that other players are ultimately accountable as well. At Nortel Networks, Vice President of Corporate Security and Systems Timothy Williams, tries to involve as many different functions in his security process as possible. Williams works with members from various cross-functional groups-with internal audit and the insurance group, for example. He also breaks his security process into three core elements: risk assessment, enterprise-wide collaboration and strategic planning. Williams staffs his department with people who come from a variety of areas-systems security engineers, of course, and global thinkers, a leadership team with MBAs, and subject-matter experts who can "cut across security and think in terms of the whole organization," he says. As part of the process, he and his team continually assess and reassess all of their client groups' needs and vulnerabilities. They use eight matrices in looking at each operational area, whether it is a new proposal or a system overhaul. "I own the process," Williams says confidently. "There are a number of processes here that have my team's signature on them." But, he and other CSOs add, all security processes should always have the business execs' signatures on them as well.

Getting past the Fall Guy Syndrome boils down to good policies, good process management and constant corporate education.

OUT: Tech talk and copspeak

A not-so-secret secret: Many executives think security chiefs have a bad attitude. And we're not just talking about information security officers. Traditional, corporate security executives are saddled with a bad rep. It's time to learn what it means when a CEO, after eliminating the CSO or CISO, says, "There was just something about him that didn't fit with the organization."

The physical security chief, according to stereotype, is a rigid and dogmatic "top cop" who has an "arrest" mentality and is a no-man as opposed to a yes-man.

The information security executive comes across as an arrogant know-it-all who is whiny, defensive, uncooperative and doesn't try to work with others because, how could anyone but he possibly understand the technical challenges he faces?

Not valid? So what. Unfair? Stop whining. In fact, the security executive who raises a stink because of these preconceptions actually feeds the preconceptions. "We had one CSO candidate for a Fortune 500 not get the job," says recruiter Tracy Lenzner. "And he-I can hardly explain it, but it was so telling-lashed out about how the company didn't know anything. He was angry. He was like a child that didn't get his way."

(Want to learn more about moving past these stereotypes? Read our special Image issue, starting with the introduction, "Show Time for Security.")

Former CISO Stephen Northcutt believes the attitude comes from the likelihood that many candidates for CISO positions are underqualified. "They are stressed out, secretive, edgy and defensive because they don't have the understanding or mastery of tools they need," he says.

As a result, those candidates fall back on old habits such as - always using highly obscure explanations of technology, or aways having a negative reaction to any risky or unorthodox business propositions. Those forms of communication don't fly in the boardroom.

IN: Business language and communication skills

When James Christiansen came to GM from Visa, where he was also head of security, he found the move from financial services to manufacturing to be a jolting transition. "You speak a different language, you look different and you dress different." So Christiansen did two things: He signed up for classes on the workings of the auto industry, and he made a point of doing a lot more listening than talking.

1 2 Page 1
Page 1 of 2
7 hot cybersecurity trends (and 2 going cold)