How you measure a CSO

When profits go up, the CEO gets a good review. When revenue goes up, the CFO gets a good review. When operating expenses go down, the COO gets a good review.

But when nothing happens, the CSO has ostensibly done his job, and yet he gets pelted with questions: “Why are we spending all this money on security if nothing is happening?” or “How do we know the money we spent actually prevented incidents?” or even “Why can’t we cut your budget since it seems like we’re at a low risk for security incidents right now?”

The CSO role is unique when it comes time for an annual review or a bonus. How do you measure the CSO’s effectiveness when success means that nothing happens, and when nothing happening might just be dumb luck?

It’s harder to review a CSO’s performance than, say, that of a CFO, but it’s not impossible. It’s a matter of gathering circumstantial evidence by asking the right questions. Here are some guidelines.

Do not keep score. To paraphrase a famous crass saying, incidents happen. If your company suffers a security breachinternal or externalthat is not, in and of itself, grounds for docking points on your CSO’s scorecard. In certain egregious cases, it might be obvious that the CSO didn’t do what was needed to prevent an incident (for example, he had no policy in place to restrict building access), ora pattern of incidents could show failure at the CSO level. But in the vast majority of cases, security incidents cannot be predicted, only prepared for and effectively mitigated.

So while the impulse may be to simply tick off all the bad stuff that happened in your CSO’s tenure, that’s not the way to judge his overall performance.

In the event of an incident, note how the CSO responds. A good CSO is calm under pressure and will be a natural leader during a security crisis. If you are unfortunate enough to suffer an incident, even a minor one, watch the CSO as he deals with the breach. Is he taking charge, or is he immediately blaming others for not following policy? Does the CSO seem prepared to deal with the incident, or is the response sporadic and reactionary? If it’s an internal incident, is the CSO prepared to take disciplinary measures? And are those measures standard and consistent, or do they seem arbitrary? If one employee gets suspended for e-mailing sensitive data, every employee who does that must be suspended. No exceptions! Inconsistent enforcement of policy will doom security.

Does your CSO remain in contact with the board during an incident, and is that communication clear and concise, or is he fudging the story and making excuses? You can learn so much about the CSO in crises.

Of course you’d rather not have to learn that way, but, like we said, incidents happen.

Look for basic business prowess. The CSO who complains that it’s impossible to show how good a job he’s doing is not doing a good job. True, ROI metrics are hard to come by with security, but they do exist. And in lieu of metrics, the CSO can still provide qualitative examples of good business practices. Is the security operation efficient? Are policies, technologies and incident response plans standardized? Are they reviewed regularly? Has the CSO adopted risk management to plan security expenditures strategically, or is he just trying to use fear and anxiety tactics to get funding or buy-in?

The good CSO will also communicate like a businessperson and align security with the business, not the other way around.

Gauge how security has been accepted or rejected by employees. Successful education and awareness of the staff is another sign of an effective CSO. A company where employees know not to paste passwords on their computer monitors or let strangers “tailgate” at locked doors (that is, the person with the swipe card holds the door open for strangers) probably has an excellent CSO.

A “culture of security” can be infectious and quite successful. On the other hand, a heavy-handed CSO who constantly imposes rules and disciplines employees can create a sense of lockdown, which is counterproductive.

Above all, look for overall leadership. Leadership, of course, is a know-it-when-you-see-it phenomenon, and by the time you’re ready to give the CSO a review or measure his performance, you should be able to do it effectively, even if nothing has happened.

-Scott BerinatoPeer to PeerVIEW FROM THE CSO

To say that these are challenging times is the height of understatement. We are reminded every day, for example, of the potential for unconventional (or even conventional) warfare between nations, or of the once merely envisioned reality of facing weapons of mass destruction, or of the catastrophic consequences of electronic attacks against national infrastructures. CSOs work every day in an environment where crime is borderless, where it can occur in microseconds due to the electronic age, and where it is often facilitated by lack of cooperation between governments and agencies. International laws and treaties to address 21st-century crime seem to have been crafted for the age of steamships. Complexities are further magnified by the fact that modern crime may be spawned in one country and passed through several jurisdictions to instantaneously attack victims in multiple other locations. And in the past few years, more and more corporations and individuals have failed to act responsibly as stewards of shareholder and citizen trust.

As a security professional with four decades of experience, I am proud that security leaders have been exemplars in the demonstration of trusted relationships and have acted as custodians of the corporate and institutional consciences. Security leadership has gained in stature through performance and demonstrated value. The profession has risen, in a sense, from the boiler room to the boardroom.

Although the path to becoming a CSO has changed over the years, security executives have typically moved laterally into security leadership from a successful first career in government, law enforcement, the intelligence community or the military. By definition, such individuals come from a culture of discipline, mission accomplishment, knowledge of the global arena, and an ability to cope under pressure or surprise. These achievers often bring a driving personality or a sense of competitiveness to their new careers.

Such loyalty to the job, employer and function is ideally complemented by the significant integrity, honor and ethics that I’ve seen demonstrated over and over again by those who hold the extremely responsible and sensitive position of CSO. There is a sense of comfort with one’s self and with one’s position that is conveyed, for instance, in being willing and eager to develop subordinates to excel beyond themselves, and then to endorse such individuals to seek greater responsibility either with the current corporation or elsewhere. Other O’s are recognizing and honoring their CSOs as true business partners in advancing the values, objectives and successes of the corporation.

These CSOs also recognize that they can find strength rather than risk by seeking out their peers in the business community. Happily, because of an informal code of trust between CSOs in competitive corporations, they can share knowledge without compromising proprietary issues. Security executives have developed formal and informal relationships to share lessons learned and form a common front against terrorism, global crises and cybercrime, and so on. It is an exhilarating experience to witness a candid exchange of tactics, techniques, methodologies, policies and standards in a forum bounded by trust, integrity, mutual respect and notable absence of any hidden agenda.

I am personally aware of instances of security executives returning proprietary informationinadvertently or deliberately acquired by their companyto a competitor with assurances that the information either was not compromised or would not be used in any manner.

Yes, the profession of the CSO continues to be, in my eyes and experience, a culture where trust, integrity, honor and collegial respect are the beacons that guide daily behavior. I am proud to be part of this valued community.

Ray Humphrey is the only person to have held the position of president at both ASIS International and the International Security Management Association, which he also cofounded.Pass the AspirinRISK MANAGEMENT

Worriers. You know the type. Anxiously in evidence at raucous parties in third-story walk-ups, where they spend the whole time fretting about whether the floor is structurally sound enough to withstand all the dancing. They hustle around the place emptying ashtrays and moving drink glasses from the edges of tables. And later, you find out it’s not even their apartment!

That’s your CSO when it comes to the viral orgy of adoption of certain hot technologies. Every fiber of his being is crying out, “Wait! Be careful! These things aren’t secure!” But the din of the partygoers is so loud that no one can hear the warnings, let alone heed them.

Even in this down economy, leading-edge or unstable technology is flowing into businessesoften unofficiallyadding significant risk to the computing infrastructure. Consider Web services, IM, wireless networks and PDAs. In each case, the technology brings with it vulnerabilities that can expose your network to unwanted access by outsiders.

These new technologies illustrate a frightening truism: the idea that you can build a wall and control everything on the inside while keeping disruptive elements on the outside obsolete. And therein lies the rub. For a CSO, the main byproduct of all this eager proliferation is heartburn. Faced with inherently insecure technologies that are also enormously popular with users, the CSO (who may hold an absolutist’s view of keeping the enterprise safe) can end up in a conflict with his own internal customers.

It’s a situation that cries out for middle-ground solutions, as well as for a transfer of “informed accountability” to the business executives who must ultimately decide what level of risk is tolerable. As it turns out, good security is not about secure technologies; it’s about good administration, effective policy development, smart risk management and adroit negotiation.

Along the way, CSOs are often tempted to simply pound their fists and, well, ban something. Consider the case of Paul Clark, EDS’s London-based chief security and privacy executive, who sent out a memo to employees serving notice that the company would begin blocking access to all instant messaging sites because of the security risks. Within a week Clark had to modify the ban. Executives using IM as a cheap way to communicate with customers balked. As an alternative, EDS dedicated a secure port for IM services and limited use only to individuals with a high need for IM capabilities. “It’s not a negative thing,” says Clark of IM. “It’s what the information world is about. But it has to come with controls.”

Perhaps the best long-term hope for CSOs, however, is to provide clear-eyed analyses of the vulnerabilities imposed by various technologies and recommendations on how to best mitigate the risks. Then it falls to the relevant business executive to make an informed call about whether the risks outweigh the accompanying opportunities.

That obligates CSOs to become great communicators, able to interpret and discuss the interplay of business objectives, the range of potential threats associated with them and the costs of mitigating those threats. What most enterprises will also need to address is the reactive posture CSOs are forced into because of the ungoverned way in which technology often infiltrates business organizationsstealthily, user by user, and without the approval of anyone who has a broad view of the IT architecture.

Technology throws some legendary parties. But you don’t want to have to call the police to break them up.

-Daintry Duffy and Lew McCrearyThe Public Face of SecurityHow security is effecting change in public spaces and architecture

Since 9/11, security has become a public phenomenon and part of the popular discourse. How much security do we need? Do we need more surveillance? Who needs to be informed when the threat alert elevates? Is it really useful to have an antiaircraft gun deployed at the Washington Monument? About the only noncontentious statement that one can make about security as a fact of life is that, in general, it’s gotten to be a public impediment. Ugly and in the way.

But even as security threats continue to multiply, signs of a more touchable terrain are emerging in, of all places, Washington, D.C. A new initiative spearheaded by the National Capital Planning Commission is putting forth the almost treasonous idea that security and historic urban design can coexisteven complement one another. The commission’s $878 million Urban Design and Security Plan focuses on restoring the beauty, grandeur and accessibility to areas such as the White House, the Washington Monument (see the diagram on this page) and the Federal Triangle, which all have been blighted by jersey barriers and bollards in the recent “siege-chic” approach to security. The plan solicits proposals for ways to build security into the landscape in subtle ways that still provide an obvious deterrent to a terrorist but become virtually invisible to the average visitor.

Similarly at the corporate level, CSOs can effect the same kind of change by providing security efficiently while not intruding on aesthetic masterpieces, such as The Genzyme Center, the biotech company’s new headquarters in Cambridge, Mass.

There, a glassy design for the new headquarters provides Vice President and CSO Dave Kent with a huge security challenge: Keep intellectual property safe in a building that seems custom built for spying in from the outside.

Not surprising, meeting such a challenge starts with policy. Kent and his team are developing a clean-desk policy for employees to follow. But he’s influenced the design of the building in other ways too. He has surveillance equipment built into support columns, saving money on the cost of retrofitting cameras. He helped design a lecture hall with good acoustics to eliminate the need for and vulnerability of wireless microphones. And he helped design a state-of-the-art, combined physical and IS operations center in the building. In fact, Kent’s security plans have their own layer in the blueprints. Security doesn’t get much more ingrained into the culture than that.

In both Washington and Cambridge, the lessons are as clear as the glass skin of The Genzyme Center: Security doesn’t have to be ugly, obtrusive or blatant to be effective; and including a security expert early in the design (or in the case of Washington, D.C., redesign) process not only improves security, but it saves money too. And without an antiaircraft gun or jersey barrier in sight.

-Scott Berinato and Daintry DuffyGlossaryTerms your CSO is likely to use…when you finally invite him to the board meeting

Acceptable use policy What an employee can and can’t do when using information resources. This policy may also disclose the employer’s monitoring procedures. (If yours doesn’t, it should.)

American Society for Industrial Security (ASIS) International A professional membership organization that provides security practitioners with programs and services to increase their productivity and effectiveness. ASIS has more than 33,000 members worldwide whose titles range from CSO and vice president of security to security manager and director.

Authentication A method of confirming a user’s identity. Techniques typically rely on something the user knows (a password or PIN), something the user carries (a smart card or ATM card), or something the user has (in the form of a fingerprint, iris scan or set of facial features). The strongest authentication involves a combination of two or three of those elements.

Bandwidth The amount of data traffic a network can handle in a given period of time. High bandwidth means more data per second can be transported.

Biometrics The authentication of a user based on physical characteristics, such as a fingerprint, iris, face, voice or handwriting. The cost of biometric systems has been dropping and reliability is improving, but many analysts say the technology will not be ready for full-scale use before 2005.

Black intelligence Dirty work at the crossroads; information obtained through espionage.

Breach The unauthorized penetration of a system. A violation of controls of a particular information system, such that information assets or system components are unduly exposed.

Buffer Space reserved in a computer’s memory in which an application stores data.

Buffer overflow Ten pounds of data in a five-pound bag. When an application sends more data to a buffer than the buffer is designed to hold, the overflow can cause a system crash or create a vulnerability that enables unauthorized system access (see Breach).

CERT Coordination Center The computer emergency response team coordination center is a federally funded research center at Carnegie Mellon University that focuses on technical issues related to Internet security. CERT/CC provides training, incident response guidance, R&D, threat advisories and more. Check out www.cert.org.

Certified information security manager (CISM) A relatively new certification recognizing skills in information risk management and technical security issues; geared toward managers who oversee enterprise information security at the conceptual level.

Certified information systems auditor (CISA) This certification indicates excellence in the areas of IS auditing, control and security. More than 30,000 people hold this widely recognized certification.

Certified information systems security professional (CISSP) The 800-pound gorilla of IS certification. To get it, you must pass an exam consisting of 250 multiple choice questions that cover such topics as access-control systems, cryptography and security management practices.

Chief information security officer (CISO) Presides over the digital side of security. A relatively new position in most organizations, the CISO is responsible for infosecurity strategy and practice, and often reports to the CIO or CTO.

Closed-circuit television (CCTV) A surveillance system in which signals are distributed via cables to a private network of monitors. CCTV is most often used for security surveillance in small, closed areas such as buildings or parking garages. But there are some extensive governmental CCTV networksin the United Kingdom, for exampleused for widely monitoring public spaces.

Computer Security Institute (CSI) An educational membership organization that offers conferences, training and networking opportunities to security professionals.

Cryptography The art and science of rendering plain text unintelligible and for converting encrypted messages into intelligible form.

Cyberinsurance Policies covering losses incurred online or within computers and information networks. Coverage targets areas neglected in traditional insurance.

Data encryption standard (DES) A cryptographic algorithm, now adopted by the National Institute of Standards and Technology, used to encipher and decipher data using a cryptographic key.

Denial-of-service (DOS) attacksA concerted attack in which a mail server, Web server or even telephone system is deliberately overwhelmed with phony requests so that it cannot respond properly to valid ones (see Distributed denial-of-service attacks).

Digital certificate The electronic equivalent of an ID card. Works in conjunction with public-key encryption to ensure the integrity of digital signatures. Certificates contain a user’s name and other identifying data. They are issued by a certification authority, which vouches for their validity.

Digital signature An electronic signature considered to be reliable and secure. Uses public-key infrastructure (see PKI) to authenticate the sender and verify the information contained in transmitted documents.

Distributed denial-of-service (DDOS) attacks A DOS attack (see Denial-of-service attacks) in which attackers load their malignant code onto many servers. Distributed attacks cause more damage than attacks originating from a single machine because defense requires blocking dozens, even hundreds, of IP addresses.

Encryption The scheme by which communication is encoded. The best encryption is asymmetric, based on two keysone private to the individual and the other public and widely shared. (Morse code is an example of symmetric encryption, since the same scheme is used both to code and decode.) In asymmetric encryption, many users can have the same public key without violating the security of the private key.

False negative The failure of a system to recognize an intrusive action.

False positive The erroneous classification of an action as anomalous (a possible intrusion) when it is, in fact, legitimate and benign.

Firewall Your enterprise’s demilitarized zone, consisting of hardware and software components; it enforces a boundary between two or more networks by limiting access in accordance with local security policy. A typical firewall is an inexpensive PC that is kept clean of critical data with many modems and public network ports on it, but just one carefully monitored connection back to the critical data it protects.

Freedom of Information Act (FOIA) Legislation passed to ensure that the public gets access to certain government information. FOIA creates procedures enabling citizens to petition federal departments or agencies by describing specific information they believe the agency has on file, and to request photocopies of those files.

Gateway A device that can isolate and control the flow of information between a computer system and authenticated users on networks connected to the system. Based on a user’s profile, the gateway regulates his access to various network destinations.

Gramm-Leach-Bliley Act Legislation that restricts the ways in which financial institutions can share private consumer data with nonaffiliated third parties. In addition, companies with significant involvement in finance must alert customers about their information-sharing policies and practices and obtain consent to share their data.

Health Insurance Portability and Accountability Act (HIPAA) Regulations designed to protect patients’ privacy rights. Provisions require doctors, hospitals, insurance companies and pharmacies to obtain written consent from patients before disclosing medical information to anyone for any reason; document any access to that data; hire a full-time privacy officer; and give patients access to their own data, including the ability to make corrections.

Honeypots Unpatched default systems whose goal is to attract and log the probes and attacks of malicious hackers and crackers. While they do not protect the network, honeypots can glean data about “black hat” behavior and help identify potential system weaknesses. Honeypots can also help in postattack forensic analysis.

Information security The protection of information against unauthorized disclosure, transfer, modification or destruction, whether accidental or intentional; a system of administrative policies and procedures for identifying, controlling and protecting information.

Information security director The person responsible for protecting information, often accountable directly to the CIO. She generally has global responsibilities for policy development, compliance, investigations and information protection.

Information Sharing and Analysis Center (ISAC) A number of industry-specific groups (in financial services, energy, telecom and transportation, among other sectors) formed to give critical infrastructure companies a forum for information-sharing about security threats and vulnerabilities.

InfraGard Public and private information-sharing effort led by the FBI with local chapters across the United States.

International Information Systems Security Certification Consortium (ISC2) International, nonprofit organization dedicated to developing training, certification exams and a common body of information security knowledge.

International Security Management Association (ISMA) Security organization that represents CSOs from more than 300 of the largest global corporations.

Intrusion detection system (IDS) Security software that identifies and records all attempts to compromise a networkfor example, someone scanning server ports or making repeated attempts to log in using random passwords.

ISO 17799 A set of information security management standards created by the International Organization for Standardization. When is a standard not a standard? Because ISO 17799 provisions function more like voluntary guidelines, companies cannot be certified against its provisions. Still, they are the most widely recognized international security standards.

Layered security A physical security approach that requires a criminal to penetrate or overcome a series of security layers before reaching a target. The layers might be perimeter barriers; building or area protection with locks, CCTV and guards; and point-and-trap protection using safes, vaults and sensors.

Malicious code Software that appears to perform a useful or desirable function but actually gains unauthorized access to systems resources, or tricks a user into causing other malicious code to execute.

Overt surveillance Letting the bad guys know you’re there. This tactic is usually applied in high crime areas as a means for discouraging criminal behavior. (Among the attributed effects of widespread CCTV use in the United Kingdom is citizens’ awareness in public that they are often being watched.)

Password sniffing Passive wiretapping, usually on a local area network, to gain knowledge of passwords.

Patch A small update released by a software manufacturer to fix known vulnerabilities (bugs) in existing programs.

Penetration testing Also called pen testing, this probes the perimeter of a network or facility, looking for its weaknesses.

Physical security The part of security concerned with physical measures designed to safeguard personnel; prevent unauthorized access to equipment, installations, material and documents; and safeguard them against espionage, sabotage, damage and theft.

Privacy Something people used to care a lot aboutwhich is a good thing, since there’s less and less of it left. Depending on the agency and the day of the week, the federal government oscillates crazily between, on the one hand, ordering you to provide privacy for customers and transactions and, on the other hand, petitioning Congress and the courts to ratify plans to violate it evermore aggressively. Privacy has clearly seen better days.

Public-key infrastructure (PKI) A system for securely exchanging information. It includes a method for publishing the public keys used in public-key cryptography and for keeping track of keys that are no longer valid.

Radio Frequency Identification (RFID) A wireless system for transmitting basic data, which consists of an antenna and receiver on one end and a transponder (or tag) on the other end. A common example of an RFID can be found in fast lanes at toll booths. RFIDs are an alternative to bar codes or other identifiers that require line of site or some kind of contact to transmit data. They are also gaining prominence because they are inexpensive to produce and easy to adapt. They can be put into tires or woven into clothes, for example. However, many privacy advocates are concerned about widespread use and the abuse of this technology, which could easily collect data without one knowing it’s happening.

Return on security investment (ROSI) A way of reassuring the enterprise that its security investments aren’t bottomless or valueless. The point of maximum ROSI is where the total cost of security is lowestfactoring in both the cost of security breaches and the cost of the controls designed to prevent them.

Risk What keeps you up at night. A level of threat rationally understood in the context of your vulnerability to it. How much of it your enterprise will tolerate depends on what it has to gain or lose as a result.

Risk assessment The process by which risks are identified and their impact determined.

SANS Institute A research organization that offers alerts, training and certification; operates Incidents.org and the Internet Storm Center.

Secure electronic transaction (SET) A protocol developed to provide for secure end-to-end online credit card transactions. All parties (customers, merchants and banks) are authenticated using digital signatures; and encryption protects the message and provides integrity.

Secure sockets layer (SSL) A protocol that enables encrypted communications to pass between a server and a client on TCP/IP networks, such as the Internet. An SSL-enabled server authenticates itself to an SSL-enabled client, and the client authenticates itself to the server, allowing both machines to establish an encrypted connection.

Security policy A set of rules and practices that guides a system or organization in providing security services.

Sniffer A tool that monitors network traffic as it is received in a network interface.

Tailgating The act of entering a building as someone else with access credentials holds the door open. Tailgating is one of the most common techniques criminals use to gain illegal entry into facilities.

Virtual private network (VPN) An outsourced remote Internet access system. VPNs allow remote users to connect securely to an ISP or a private IP network via an encrypted tunnel cordoned off from the public portions of the Internet. A VPN is generally less expensive for a company than building and operating its own dedicated network.

Virus A hidden, self-replicating piece of computer software, usually malicious logic that propagates by infecting (for example, inserting a copy of itself into) another program. A virus cannot run by itself; it requires the operation of its host program.

Wireless application protocol (WAP) A specification for a set of communications protocols to standardize the way that wireless devices, such as cell phones and radio transceivers, can be used for Internet accessincluding e-mail, the World Wide Web, newsgroups and instant messaging.

Sources: CSO reporting; SANS Institute; ASIS

Chief security officer (CSO)

The highest-ranking security person in a company. Responsibilities can cover both corporate and information security, including policy and execution across such varied areas as risk assessment, physical security, background checks, data privacy and intellectual property protection.