New Security Leadership: The Basics

Maintaining the right level of boardroom and employee security awareness is a consequence of leadership. And more effective ideas and tactics are replacing the old, reactive security leadership paradigm. CSO looks at what's Out and what's In.

1 2 Page 2
Page 2 of 2

In learning about GM, Christiansen had to glean the intricacies of four very different business areas: manufacturing, GMAC (GM's financial services division), OnStar (the onboard satellite communications system) and the defense industry, with which GM works closely. But immersing himself in the business was a necessary step for Christiansen to be able to communicate with the company's business line executives. "Everything I bring them is cost additive, and that can create a natural conflict," says Christiansen. "I need to be able to show the bang for the buck, the ROI per dollar and how I'm going to help them solve business problems." None of that can be achieved without a keen understanding of the business and the recognition that the CSO's role is to enable business success in an appropriately secure context. To combat the perception that security is divorced from the business world, Bill Boni, Motorola's CISO, has even gone so far as to shun the usual moniker, "IT security" in favor of the more business-friendly title, "information protection." The goal is to position the department as the protector of information assets in all forms, whether it's customer data housed in a server or confidential contracts in a sheaf of papers.

Talking in business terms with executives can also be a tremendous asset in advancing the CSO's agenda, which is often bogged down by the perception that it's too technical for business executives to understand. "I've seen too many information security practitioners fall short in their role because what they really love is the technology," says Boni. "They open with the technology dimension, go into technical detail, and by the time they get to the part where the executives' insight, experience and judgment can be engaged, the executives are already disengaged. The executives conclude that security is at a level that's inappropriate for their consideration."

As the old saw goes: It's not just what you say, but how you say it. So practice your delivery. As anyone who's ever been to a security conference knows, speeches about security can be deadly dull. Faced with the challenge of having to communicate about security to large groups both inside and outside his company, Bill Hancock, CSO of Exodus (which later became the US base of Cable & Wireless), took the unusual step of enrolling himself in a stand-up comedy course to improve his communication skills. The final project for the class was a performance of an actual stand-up routine at The Improv, New York City's renowned comedy club, on a Friday night. "It was one of the most horrifying experiences I think I've ever been through," says Hancock. "You get up in front of an audience, half the people there are probably inebriated in some fashion, and you've got to communicate what you have to say very quickly, very succinctly and to a whole bunch of people that don't know you from nobody." The lesson here is not that CSOs need to be honing their comic routines, but rather that life is full of tough audiences. When dealing with a weighty topic like security, it's important to focus on how you communicate as well as what you communicate.

Building and maintaining strong relationships with business executives and their groups requires the CSO to assume a number of different guises: educator, strategist, negotiator, interpreter and, sometimes, disciplinarian. Oracle's CSO Mary Ann Davidson has one last morsel of advice for CSOs interested in smoothing their way with other executives and the company at large. "People ought to be thanked for doing their job more often," she says, noting that CSOs will find more cooperation if they ask for it politely and show their appreciation, instead of barking out orders and throwing their weight around. "Business is personal," Davidson says. "It's not being manipulative, it's just that you catch more flies with honey."

OUT: Silos

Information security in one stovepipe, corporate in another, audit staring suspiciously from across the hall, disaster recovery handled by the facilities group... you know the usual drill. Security functions have a history of fragmented organization. "Each of these departments' main mission is 'to protect company assets;' however, each usually reports through a different hierarchy," one privacy and IT security manager puts it. "It makes no sense."

Historically, the greatest chasm - not just organizationally, but culturally as well - laid between information security folks and their corporate security counterparts. Each side has a list of perjorative ways to describe the other's profession and professionals (propellerheads vs. knuckledraggers, etcetera).

IN: Holistic security

Enough squabbling already. Disjointed management and lack of communication leads to a weaker security posture and wasted money due to duplicated efforts.

"The truly sophisticated companies are starting to look at a coordinated approach to physical security, information security and risk management," says Lance Wright, principal at the Boyden Global Executive Search company.

Consider these specific areas where holistic security management pays off:

-Business continuity Mike Hager, who helped get OppenheimerFunds up and running four hours after their offices and systems at the World Trade Center were destroyed on 9/11, puts it best: "Some companies have people who do information security, and people who do physical security, and people who do business continuity. The three people may come up with three separate answers about what to protect. If you have a total protection program, you can save a lot of time, money and effort. It just simplifies the whole process and makes it more effective."

-Hiring and firing When an employee comes on board, she may need a number of assets and rights before she becomes productive& a building access card, a laptop, a network password with access to the right applications, a signed non-disclosure agreement, a business credit card, a company car. Some of these are physical and some are digital. In a company with a well-managed, holistic hiring process, that employee can be up to speed in a jiffy. Conversely, a company with disjointed access management can expect a much longer ramp-up time. That's lost money. And if the employee is abruptly terminated, the poorly managed company stands very little chance of recovering all its assets and disabling all necessary access rights in a timely manner.

-Intellectual property protection IP (patents, ideas, classified research) is stored in many forms, from data on the corporate network, to CAD printouts in the trash can, to drawings on the whiteboard in the graphics department. Losing that proprietary information can cripple a company competitively. Bill Boni, CISO of Motorola and a former Army intelligence officer, notes that the only way to protect intellectual property from threats inside and outside the company is by interconnecting all the necessary defensive measures - logical, physical, legal and otherwise.

-Regulatory compliance Sarbanes-Oxley says the Board of Directors has a fiduciary responsibility to know what risks its business faces. Who's going to give them an accurate picture if no one has visibility across all security domains?

-Coordinated access management It's midnight, and the network control center notes that the CEO just logged on to her office workstation. Problem is, the building access card system notes that the CEO left the building five hours ago. If the network and building access controls were coordinated, the night watchman would know he needs to take a stroll down the hall and see who's sitting at the CEO's desk and using her account.

The most obvious way to manage security holisitically is to put make one person responsible - a CSO. But even in companies where that's impractical, creating new lines of communication and knocking down formerly adversarial relationships is a must.

(For more about the benefits of holistic security, read "Convergence: The Pain & The Payoff" from our special report on convergence.)

Compiled from CSO Magazine and Contributing writers include Scott Berinato, Daintry Duffy, Sarah Scalet, Tom Wailgum and Malcolm Wheatley. Send feedback to Executive Editor Derek Slater at

Further Reading

Selected leadership profiles from CSO Magazine:


Want to hear about security leadership straight from the source? Read the latest Undercover, a monthly column written by an anonymous CSO.

Security 2.0

What does it take to bring together information security and physical security? One secret is to sneak up on it, the way Constellation Energy did, by seeming to be doing something else entirely. Read more about how John Petruzzi, director of enterprise security, is leading the transformation.

Secrets of Their Success

It takes more than knowledge and experience to excel. Five top CSOs share their tips for putting forward a positive messagein appearance, word and deed. Hear from American Electric Powers Michael Assante, the Bank of Americas Rhonda MacLean and others.

Goal-Line Stand

Anything can happen at a football game. But Milton Ahlerich, the NFLs VP of security, has sworn to make it safe for players and fans alike.

Safe Harbor

From Boston's Logan Airport to the city's waterfront shipping facilities, CSO Dennis Treece patrols an anxious perimeter.

Called to Account

Some security executives see protecting their company's assets as a way to earn a living. ABN Amro's CISO Sharon O'Bryan sees it as her mission.

The Architect

Imagine being able to layer security into your building the way you do the plumbing or wiring. Genzyme's Dave Kent doesn't have to imagine it-he got to do it.

It's a Small World

Bob Littlejohn heads up Avon's worldwide effort to keep the business up and running and the employees safe.

The Human Touch

GWU's information security officer Krizi Trivisani focuses on the softer skills-like communicating with students and administrators-to help her battle real-life villains.

Copyright © 2004 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Make your voice heard. Share your experience in CSO's Security Priorities Study.