A Rogue’s Gallery of Security Leaders

It takes all kinds, as they say, and believe me, I’ve seen ’em all in the past 30-plus years.

I’m talking about CSO-types. You know, the guys and gals like you and me who make a living out of measuring risk, protecting data and securing the enterprise. You’ve heard all the clichés before. Our personality types become cliché as well. Remember Wilfred Brimley in The Firm? A wholesome, ethics-laden pillar of the corporate community, he made a great poster child for Sarbanes-Oxley.

And then there are the yahoos who keep the security role in the blue-collar ranks. The B-school executives see these security types and roll out the pigeonholes, while some CEO cop buffs think that hiring their local federal agent-in-charge is the answer to modern security risk management. I can’t say that I blame them, though. It’s easy to create the stereotypes that inundate this profession.

Where are the role models for businesses to follow when trying to establish the CSO position? And more to the point, who are the role models for our own up-and-coming CSOs to follow? Other Chief Whatever Officers seem to understand their own profiles. What’s wrong with us?

Maybe, in part, it’s because the CSO title is a relatively new idea. As a result, we don’t have a lot of experience on which to draw.

Maybe, just maybe, the profession has some spring cleaning to do. If we truly want to help promote the value of the good CSOs, we’re going to have to cultivate some of the bad seeds:

The Chief Sympathy Officer This whiner complains to anyone who will listen that he “doesn’t get no respect.” It’s true, but is it any wonder why? He doesn’t know anyone in the corner office of the parking garage, let alone someone on Executive Row. As a result, his department gets handed every menial task imaginable.

The Knuckle-Dragger This CSO is intellectually uninspired and wonders aloud how some of his counterparts in other local companies “do that.” By “that,” he means getting connected to business processes and being seen as a player in the corporate risk management scheme. He has reported to three different managers in the past three years, each time falling lower and lower in the pecking order. And no one in his company will know they’re in trouble until something hits the fan.

Mr. Spandex This guy is right out of central casting. He’s the sleazeball who got canned at a prior security gig for planting cameras in the women’s locker room in the company exercise facility. Tanned and fit, he dresses to the nines and starts every sentence with the word “I.” And if you dare to call him after hours in the event of an emergency, you have to yell to be heard over the bar crowd.

The Field Commander Former military with a capital M. Evidence of his rankhowever irrelevant to those around himcan be found all over the walls of his office. His résumé spans five pages in seven-point type and reads like a study in national security. He petrifies the “troops” in HR with talk about “body count” and “intel.” And he refers to the CISO as “an educated idiot who has never heard the sound of gunfire.” He is the brother-in-law of a retired general who serves on the company’s board of directors.

The Golfer Retired from some big federal law enforcement job, and he’s here because he has connections. Heavy lifting is limited to double martinis. He travels a lotin fact, his expense account seriously challenges the line-item for rent at our headquarters facility. The Golfer goes to every security conference, where he makes sure to have a tee time (with at least a half dozen of his former fed colleagues), while everyone else is back at the hotel learning from the academic programs. He thinks Sarbanes-Oxley is a rash you get in Thailand. Lucky for him (and his company), his number-two person is a great guy who gets it all done behind the scenes.

The Geek Speaks a language with which I am not familiar. He lives in abject fear of a sort of techno Armageddon, and when you ask, innocently enough, “Hey, how’re ya doin?” he’s likely to blurt out, “We’re doomed! We’re all doomed.” He tends toward intellectual arrogance and fails to see security as a collaborative process “because nobody around here understands how really dangerous it is out there.” The geek writes off the physical security types as insignificant in the security scheme and really acts out when one of his techy contractors is led away for passing customer information to the competition (for whom he also works after hours).

The Spy Plays to the dark side of the CEO, and a brass plaque on his desk admonishes that you “Trust No One!” This guy makes Rasputin look like a choirboy. He’s sneaky, manipulative and more than creative with the truth. He seems to fancy himself as the only honest person left in a world of liars and eventual felons. His biggest threat is that he has the ear of the CEO, and he has singlehandedly destroyed any vestige of trust and credibility in the security function. By the way, the reporting of potential internal misconduct has dropped to next-to-nil in his time here.

The C.E.E. (or Certified Expert in Everything) Grandfathered into every discipline remotely related to security, this guy lives for the learning of the new professional association. His business card looks like the typesetter was on steroids. He attends at least one annual society meeting per month and now requires his team to take certification by exam.

The GunSlinger This is your consummate criminal investigator. He’s typically the first security executive ever in his particular company, having been recruited by the head of HR from the local police department. He’s not really interested in the business, nor does he have much time for “the suits.” The concept of “prevention” barely enters this CSO’s strategic plan. He lives for the chase and knows it will come someday.

The raconteur He knows how to play to the prurient interests of his audience. He hasn’t met a security incident he couldn’t embellishwith you-know-who in the starring role. Ironically, he fires people for failing to label confidential material but brags about our corporate safeguards on airplanes, in bars, at conventions and wherever he can get an ear. When asked if he can do something to address an executive’s concerns, The Raconteur volunteers a history of accomplishments that rival Winston Churchill’s during WWII. Known in smaller circles of colleagues as The B.S. Artist, our storyteller is a reckless big-mouth who is being examined by outside investigators for libel and defamation arising from several prior internal investigations.

You can probably mix and match the characteristics of several of these types to form your own assortment of characters. Some may be the butt of employee jokes, but that’s where the humor stops. These people are sending the wrong message to our general auditors and counsel, to human resource departments and the corner offices. Worse, they may be putting companies at greater risk because of their shortcomings. In short, these fellow security-types are coloring the perceptions and expectations of an already fragile CSO position.

We in the security arena are sometimes afraid to dis our brothers and sisters. A colleague asks us to support a new member of the club, and we ask no questions about his or her competency or ethics. (God forbid a former cop or federal agent trashes the application of a fellow alumnus.)

Look at the number of corporations that have made the CSO job an automatic incumbency for one agency or another. And we call this raising the bar?

Our information security brethren have done far better from what I have seen. That fraternity is just as strong as the CSOs’, mind you. But it tends to live in a more measurable worldordered by physics, mathematics and the evil sciences. They have a common vocabulary and a clear set of accepted standards. Don’t get me wrong. I admire that order and respect their technical competence. It’s their narrow perspective on security that bothers me.

At the end of the day, a lot of this stuff is self-correcting. My poster kids depicted above tend to get theirs at some point. But what damage they can do in the meantime to a corporation, its shareholders and the employees! They play to the dark side of corporate ethics or constrain demonstrations of what value security can really bring to the enterprise.

Happily, in my long experience, I’ve found that there are a hell of a lot more of the ones I try to emulate than the ones who hold us back.