How you fund a CSO

There’s a security professional out there who was formerly the CSO at an online trading firm and now is CSO for a security product vendor. Without the faintest hint of irony, he suggests that the average corporate security budget should be 4 percent to 10 percent of total revenue. He says he’s now comfortable with executives laughing in his face.

Naive as it sounds, it points to a real disconnect between security executives and the rest of the board. Even as security gets more moneyan average 29 percent increase last yearthose in charge of security believe the budget increases are way too small, that a 77 percent increase is more justifiable.

And that’s just the start of it. Although every trend indicates that physical and IT security will merge, a CSO survey shows that seven out of 10 companies haven’t merged budgets for the two disciplines. Seasoned security professionals argue against IT security spending going under the purview of the IT department (because of conflict of interest), yet three-quarters of companies in the survey do just that, averaging 10 percent of their total IT budget devoted to security.

Security budgets overall are widely dispersed, according to the survey, with about a third falling under $100,000, a third between $100,000 and $1 million, and a third more than $1 million. Of course, it’s hard to gauge if that’s actually meaningful because some of those budgets will include all security expenditures, while others will omit certain items that, in the context of that particular company, fall elsewhere, like disaster recovery, loss prevention or audit functions.

And just to completely muck up the picture, a recent Office of Management and Budget study found, for federal agencies anyway, no correlation between an increased security budget and increased security effectiveness. All of which is to say, if you want a number for what makes a good security budget, we ain’t got one. We’re not even sure we can put you in a ballpark. If creating a security culture is like sawing through a piece of wood, budgeting is that knot that jams and bends your saw, and probably sprains your wrist.

So without hard facts to give you, we will resort to offering general truths about security budgeting. They are:

1. You need to increase your security budget. We can tell you that CSOs are understaffed and need more resourceshuman and financial. But the longer nothing bad happens, the more apathetic the CFOs and CEOs become about funding securitywhat CISO Bill Spernow of the Georgia Student Finance Commission calls security’s “half-life.” So don’t become apathetic after six months of incident-free living, but also don’t be afraid to demand some metrics to justify your continued empathy as well.

2. Your CSO must target spending more wisely. But sometimes it’s hard to tell if the budget a CSO gets is being well spent. Think of it this way: If you wear your seat belt for a year but don’t get in an accident, was that an effective security measure? What will help answer that kind of question is, again, an increased focus on metrics and viewing security not as a binary spend (either it makes us safe or it doesn’t) but as a risk equation (how safe does it make us relative to the cost?).

3. You should spend less on technology and more on education. CISOs, especially, seem to think the solution to every security problem is to throw more technology at it. “It reminds me of an article about a city in the Midwest that was experiencing problems with vehicles hitting pedestrians in the downtown area, and I remember an editorial suggesting that cars should be designed so that when a car is getting ready to turn, it will beep and the pedestrian will know that the car is coming. Nobody suggested we train pedestrians to look out for cars. We need to think from that other perspective,” says Spernow.

4. Last, you should use common sense, even in the wake of a major incident. Too often, top executives succumb to their emotions after a major incident. Someone steals intellectual property, and, to avoid bad press, the company pays a hacker an extortion fee. That kind of overreacting is human, but it’s also not the way to budget for security. It leads to wild overspending, followed by severe curtailing. It sends mixed signals about the value of security. It is a characteristic of a corporation that is reactionary to security, not proactive.

Trust us on this one: When you’re reactionary, security execs will take advantage of you. “What’s amazing about major incidents,” says Stephen Northcutt, a former CISO with the Ballistic Missile Defense Organization, “is that the status quo ceases. At that moment, you can go to the top brass and ask them for anything, and they’ll do it. Boom. And, 100 percent of the time, I’ve got something on my shopping list. And I’m completely brazen about it. It might have nothing at all to do with the incident at hand, but I’ll get it.”

The organization that inculcates security into its culture is more likely to budget well, so it all starts with awareness, education and executive endorsement. (By now, these are recognizable, recurring themes in this handbook.) And if your CSO asks for a budget of 4 percent to 10 percent of total revenue, it’s OK to laughunless that’s what you need.

-Scott BerinatoPeer to PeerVIEW FROM THE CFO

Thinking about security has become second nature to us at Genzyme. In fact, security is an integral part of everything we do. Our company’s lifeblood is intellectual property and the people who create it. So we’re very aware of protecting both. Some companies have only begun to establish a stronger security sense since 9/11somewhat like hiring a CFO only when you need to close the books at the end of the quarter.

Dave Kent, our vice president and CSO, and I work very closely together. We are members of common work teams and frequently meet informally. It is imperative that the CFO and CSO maintain a close relationship. Failing to maintain a close and open working relationship leads to potentially costly decisions.

As for educating ourselves about security, the senior management staff meets frequentlyformally and informally. We use such occasions to review changes in our business, discuss both new and ongoing programs, and review functional areas. But it is the ongoing contact with Dave that provides the real education. Since we have had a CSO for so long, it has become second nature for us to integrate security into everything at Genzyme. The nature of our business dictates that everything we do has the highest standards built in. Security is part of those standards, and it starts at the top. If security is made a priority and it has become a natural part of your work life, you think of it less as an event and more as business as usual. For us, being smart about security is less a matter of spreading the education and more just a basic part of our lives. It’s less of a process of who educates whom and more of a natural offshoot of our culture. Because the nonsecurity executives at Genzyme are aware of security, they tend to seek out Dave at the same rate as Dave educates them and their staffs. We think of it more as a dialogue than an educational series.

As a biotech company, it is vital for us to do it right the first time. Everything we do needs to be of unassailable quality, from the clinical trials to the protection of our employees. For us, there truly is no alternative. The risks are simply too great. Through the integration and involvement of security during the design phase, we avoid costly surprises later. We monitor all expenditures closely. We review what programs work and which don’t. But in the end, it all comes down to early involvement and doing it right from the beginning.

Companies need to think about the CSO role as part of their daily business life. While September 11 increased the awareness and need for CSOs, we know that you can’t think of security in terms of one-time events. Our employees, our patents and our business are simply too important to take a chance. Think of it like electricity. When the power goes out for most of us, it’s an inconvenience that means we might lose some food in the refrigerator. But the repercussions of a power failure increase significantly for someone on a respirator or other medical device that is vital to his life. Nonsecurity executives need to think about security the same way. The costs of a security failure can easily become a determining factor of a company’s success or demise.

Michael S. Wyzga is corporate executive vice president, corporate controller, CFO and chief accounting officer of Cambridge, Mass.-based Genzyme.Be the TortoisePLANNING

As the United States prepared to wage war on Iraq, peace of mind could be had for $20 at the corner store. Duct tape, potassium iodide tablets and a 5-gallon jug of water were the celebrated “duct and cover” of the terrorism agebought, paid for and carried home in a paper sack. Here was something tangible that Americans could do, or at least think about doing: They could seal windows against chemical and biological agents, protect their families from radiation poisoning and have drinkable water in case the reservoirs were somehow poisoned. Problem solved.

But as the months went by with no new attacks on American soil, the water got drank and the duct tape unrolled, while the iodide pills gathered dust awaiting their expiration dates. Nothing had happenedso why bother buying more supplies? Crank the security threat dial-o-matic back to a one, kids, or maybe even a zero.

That is a human reflex, and one that plagues corporate America as well. For businesses, the sequence goes like this: Perceive a threat, probably because something terrible has happened, like a website defacement. Scurry around throwing money at the problem for a month or two. Then, when nothing else happens, decide the money was wasted. Ignore threat. Reduce funding. Shampoo. Rinse. Repeat.

We overreact when something bad happens and underreact when nothing happens at all. That’s no way to approach security. And nobody understands that better than a CSO. In fact, a primary role of the CSO is to help your organization find equilibriumto ensure that you don’t foolishly spend your wad on iodide tablets one day, when what you really should do is have ongoing family discussions about how and where you would find one another during an emergency.

Sure, the CSO has selfish reasons for wanting to find this balance. Nobody wants to see his budget slashed in half one year and doubled the next; that’s disruptive.

But the CSO, in advocating for equilibrium, also has your company’s best interests in mind. Securitygood security, that isis about risk mitigation, not response. It’s about prevention, not reaction. And it’s about long-term solutions, not quick fixes.

If something bad does happen, you may still need to react. Your organization’s vulnerabilities might have changed, or maybe there’s a new threat that needs to be addressed. But instead of cranking the security dial-o-matic from zero to 10 and then back down again, perhaps your CSO can help you nudge it from a five to a six.

None of this is quite as instantly gratifying as a new roll of duct tape, of course. But in the end, you’ll be a whole lot better off.

-Sarah D. ScaletMoney Well Spent (and Spent and Spent…)BUDGETING

Stop viewing security as a cost center. Turn it into a business driver.

Nearly everything you do at the executive level is measured in terms of cost and benefit. You use raw data such as financial statements, actuarial tables and decades’ worth of academically rigorous research to ensure that for the shekels you shell out, you’re getting something in return.

Security, though, is different. Or it was different. Your CSO gets the message loud and clear that he should spend the least amount of money possible to protect the enterprise. Security has long been considered a function that requires spendingwith little or no measurable benefit on the investment. That’s a discomforting thought when you’re used to applying everyday business metrics to expenditures.

Security is a classic cost center. A comprehensive security programincluding physical and IT security, fraud prevention, workplace safety and intellectual property protectionis no longer optional, according to Tina LaCroix, vice president and CISO of Aon. What’s more, she says, “It’s a forever commitment, not a one-time expense.”

Sounds like bad news. But it isn’t. As security and the CSO role rise in prominence, executives will bring their CSOs and CISOsand their security requestsinto the world of business, where investments are rigorously measured as something that must be proven beneficial.

Traditional theories and models of risk management must be inculcated into the security world, known for its traditionally dogmatic view. “If you don’t manage risk, you’re going to lose money,” says security consultant Steve Katz, a former CISO for Merrill Lynch, Citigroup and J.P. Morgan. “Companies have been great about looking at credit risk or the risks of a particular customer or region. Companies and regulators are simultaneously beginning to realize the importance of operational risk and information security as a component of it.”

In the coming years, the security community will be working with auditors, lawyers, economists, accountants, insurance companies and a host of other experts to find ways to put structure around the money spent on security. The ability to join in this dialogue is vital to CSOs.

The most important thing you, as a company executive, can do is to recognize security as an integral part of your organization and embrace the CSO as part of the executive team, all the while insisting that the CSO learn and practice risk, cost-benefit analysis and the like. Encourage him to take business courses or perhaps pursue an MBA. While your employees will respect your CSO’s authority, your outward support of his initiatives and a commitment to his professional development will go a long way toward making security awareness part of the corporate culture.

You and your CSO have the same goal: Be smart about risk without going overboard on cost or governance. CSOs want to make other executives’ jobs easier, so do the same for them. And give them the tools they need to make wise decisions.

Your business’s success depends on it.

-Simone KaplanSafe HarborPORT SECURITY

In the team-building portion at your last company offsite, you probably remember an exercise where group A led group B through an obstacle course. Presumably group B exited the course unscathed. The game is similar to the real-life scenario being played out at shipping ports around the world today: In an attempt to lead businesses through transport’s security maze, the U.S. Bureau of Customs and Border Protection has created several programs to improve the inherent lack of trust in the cargo system so that things can move more swiftly through the supply chain.

The Customs-Trade Partnership Against Terrorism, or C-TPAT, is a joint initiative between the government and the private sector aimed at safely expediting containers through ports. Companies that promise to use good security measures and provide documentation of the containers’ contents to Customs officials will be rewarded with an accelerated shipping schedulekind of like a fast lane for cargo.

Companies that enroll in the program must perform self-assessments of their supply chain security and implement a security program that follows C-TPAT guidelines.

The guidelines focus on security compliance of facilities, access, procedures, personnel, documentation and training.

“Anyone at a terminal of a trucking company could infiltrate the cargo supply chain, especially overseas where background checks aren’t allowed,” says Ken Wheatley, vice president of corporate security for Sony. Wheatley is also a member of an advisory council for the C-TPAT initiative that is working with Customs to devise appropriate security guidelines for manufacturers. “The obvious difficulty,” he says, “lies in managing a coordinated effort between various government entities. If you have the Drug Enforcement Agency, Food and Drug Administration, and Customs independently coming up with regulations without communicating with each other, the end users will get caught in a vice with inconsistent standards.”

Another initiative, called the Customs’ Container Security Initiative, or CSI, was launched in January 2002, to ensure the security of those containers in transit by using technology to prescreen and secure containers. Of the top 20 ports worldwide, 18 have already joined CSI. According to Wheatley, becoming a member of the initiative means you are “a trusted importer.” To attain that status, you must provide Customs with details of what you’re shipping and documentation that demonstrates that you are shipping it safely.

-Kathleen CarrRoad RulesTRAVEL SAFETY

The world has always been a dangerous place, but awareness of its perils has grown considerably in the wake of 9/11. Companies and their security officers have an established legal responsibility (a.k.a. “duty to care”) for the safety of employees who travel abroad or are assigned to expatriate postings.

As a result, corporate lawyers lose sleep. Each unprotected employee presents a significant liability to which boards of directors and CEOs are, increasingly, attuned. When questions of employee safety arise, it’s usually your CSO who ends up in the hot seat. And no CSO wants to be caught unable to answer the question, Are our people safe and accounted for?

“Expats and travelers expect more from the company in terms of security intelligence,” says Mark Cheviron, corporate vice president and director of corporate security and services for Archer Daniels Midland (ADM). “And so do their families.” Cheviron knows whereof he speaksADM has employees in more than 70 countries.

To feed their appetite for intelligence about fast-changing conditions in foreign locales, more and more companies are turning to third-party providers for expert help. The various providers offer a range of services consisting of regular bulletins, up-to-the-minute information and insight, access to emergency hotlines and, in rare instances, even rescue services aimed at extracting travelers in distress. Among the players in the field of so-called travel risk management are iJet (an analyst service allied with security behemoth Kroll), Pinkerton and U.K.-based Control Risks Group.

Your CSO will want to choose a provider based on the freshness of its information (how recent it is and how frequently it’s updated) and the depth of its reporting assets (how many people it has on the ground in how many foreign venues). Cheviron cautions about data overload. “You have to be able to cull out what’s important,” he says. To get a balanced view, he recommends asking for a list of client references and calling them. He also trusts peer evaluations from fellow members of organizations like the International Security Management Association.

In other words, if your company has a significant number of people traveling abroad, make sure your CSO has all the information he needs to protect employees from things that go bump on the road.

-Daintry DuffyThe Crime That Keeps on TakingINTELLECTUAL PROPERTY

Your stuff gets taken without necessarily disappearing from the premises. The only way you figure out the crime has even occurred is that your competitive edge somehow vanishes into your arch rival’s new product launch. The stolen advantage becomes a deficit that can last for a very long time.

It’s the theft of intellectual property. “I call it the death of a thousand cuts,” says William Boni, vice president and CISO of Motorola. “Because most organizations don’t have a means for tracking the loss of proprietary information, they go on constantly hemorrhaging, losing market share. Gradually it takes the vitality out of the organization because it’s hard to invent things faster than people are stealing it.”

Dark forces are arrayed not just against the ones and zeroes of vital data assets, but against indiscreet conversations, improperly discarded documents, immodest descriptions of research breakthroughs offered up during presentations at conferences, and hiring processes rich with discoverable insight into areas of business growth. Protective strategieswhich often fall to security executives to developdepend on three things: identifying the assets most vital to the business; spreading awareness throughout the company of their importance; and pursuing ways to limit vulnerability to determined thieves.

Training rooted in enlightened self-interest plays a role, according to John Pontrelli, director of security at W.L. Gore & Associates. Pontrelli lets employees know how losing intellectual property hurts the company. “We rely on each other to protect our trade secrets. Maintaining the integrity of those secrets is the reason we are able to hand out bonus checks at the end of the year. So it affects everyone if something happens.”

In 2000, W.L. Gore created an intellectual property committee aimed at ensuring that communication with the outside world was not too revealing. Says Pontrelli, “The litmus test for all of us is to ask: Would I know this information if I didn’t work here? And would my biggest competitor want this information?”

The urgency of the protection mission is high, says James Chandler, president of the National Intellectual Property Law Institute. “If a company loses its assets, it could die. Intellectual property is what keeps a company viable.”

-Sarah D. ScaletExit Strategies: A True StorySAFE TERMINATION

We never had any proof that Charlie was engaged in criminal activity, but nobody really wanted to know. It was bad enough when we discovered he had lied about his job history and his home address. Why nobody had checked him outwell, mistakes had been made. But as a highly paid consultant, I was called in to do the cleanup.

Charlie (not his real name) was more than simply a highly paid systems operator. He had been hired as a “security architect”the one person who knew the ins and outs of the firewalls, intrusion detection systems, backup auditing devices for the regulators, and even the desktop antivirus system. But that, it turned out, was the problem: Nobody else on staff really knew what Charlie was doing.

Charlie drifted in to the office at 3 in the afternoon; he often stayed until after midnight. He occasionally picked fights with the cleaning staff; he went ballistic if anybody touched the papers on his desk. Some rationalized that he was just hypervigilant about his privacy, which was a good feature to have in a security director. But one day he threatened a coworker“Be careful, or you might discover that all of your files have been corrupted”and at that point we knew we had misjudged the situation. We had a problem on our hands.

The address that Charlie had given on his employment applicationthe address where we sent his paychecksturned out to be a mailbox at Mail Boxes Etc. We went back and checked his referencesfinallyand only one could verify his former employment but said they couldn’t remember him personally. The other two companies were no longer in business.

A standard way to fire somebody is to have security meet him at the front door and escort him to his manager’s office while the security team goes to work. Over the next 10 minutes, the worker’s passwords are reset, his account locked and his card pass deactivated. The employee would then be escorted to his desk to watch while his belongings are inspected and packedafter all, you don’t want a terminated employee to “accidentally” pack up something that’s company-confidential. Finally, he’d be escorted to his car. With two weeks’ notice, he’d draw severance pay from his home.

Former employees can do a tremendous amount of damage because they know all of your secrets, and their anger at being fired might cloud their thinking. When one Silicon Valley computer manufacturer laid off several hundred employees a few years ago, it turned one of its buildings into an “employee relocation center.” Employees were given desks, chairs, working telephone lines and access to a computer network located outside the corporate firewall. The setup helped the employees make the best of a bad situation; they could job hunt while appearing to still be employed, yet they posed no danger to the company’s ongoing operations.

But Charlie’s case was a different matter entirely. Management saw him as a serious threatan unstable insider who knew the entire security plan, and who could easily explode if fired. Were there security problems he knew about and hadn’t fixed? Worse, had he planted back doors for the purpose of exacting revenge?

We hired a group of consultants to audit the network, make sure that every computer was upgraded and properly patched, and then oversee the process of changing every employee’s password. Then we told Charlie we wanted him to meet with the CIO of a company in Japan that we were thinking of acquiring and claimed we wanted Charlie’s opinion of its network.

The minute Charlie’s plane took off, the consultants swung into action. His account was locked, systems were upgraded, operating systems were reinstalled and firewall rules were revised to the highest level of security. Two days later Charlie called from Japan in a panic: He couldn’t log in! We told him we were having problems and had brought in an outside consultant. He flipped.

That night we saw repeated log-in attempts from Japan using Charlie’s account and others. None of them were successful. Then we saw some hack attempts. Fortunately, our external systems had been patched. Meanwhile, the consultants raced to patch the rest of the internal systems. Our friend in Japan called Charlie at his hotel to pretend he was sickcould the meeting be postponed for a few days? Charlie had no choice but to comply. That weekend, our consultants worked 12-hour days. By Monday, they deemed our systems “hack proof.”

We called Charlie and told him the Japan deal was canceled, that he should come back home. (It was tempting to leave him in Japan, but we resisted.) We had a limousine meet him stateside and bring him to our headquarters. An off-duty police officer who occasionally worked for us escorted him to the HR office, where we formally terminated him.

Although the whole process cost us dearly in the checkbook, we ended up with a network that was considerably more secure than the one we started with. Ultimately, however, we didn’t learn our lesson. The following month, our CIO hired a new security architect and proceeded to hand her the only keys to the kingdom.

-Simson Garfinkel