Show Time for Security

Think security is too serious a matter for such fluffery? Think again. It’s precisely because security is so important that we need to pay attention to how it’s perceived.

The more we talked with security leaders, the more we realized that image is critical to everything the CSO does. Gavin de Becker, author of the book The Gift of Fear, is especially eloquent on the subject. “There is an element of appearances to security, and I don’t mean this in an unfavorable way,” says the famously unflappable de Becker, who has guarded his image as closely as the Hollywood stars he is hired to protect. “Precautions that are expected to deter often draw some of their effectiveness from appearing to be this or that. Effective security professionals know that demeanor and appearances are a language that can communicate confidence far more keenly than mere words.”

Right now, however, security has an image problem. “We are increasingly seeing a security apartheid,” says Thornton May, longtime IT consultant and observer. “Security professionals are increasingly isolated from the organizational mainstream.”

May is pessimistic about the CSO’s propensity for change. But we truly believe that the most successful among you are trying to make over yourselves and your profession, the better to inspire confidence and authority. Once an assortment of stereotyped “geeks” and “guards” who’d been promoted up a few tax brackets, CSOs are now struggling to becomeand be recognized asbusinessmen and women who take a strategic view of risks across the enterprise.

This effort is an image battle as much as anything else, and the change is happening on three levels. On the first level are CSOs themselvesyouwho are learning that to be taken seriously as executives, you have to act like your peers from other parts of the business. It might seem obvious, but you do have to talk like a businessperson. You do have to dress like a businessperson. Heck, you might even decide you need a new haircut. Just look at what eBay’s Howard Schmidt, one of the country’s most prominent CISOs, has done to his look over the years. (Schmidt explains why in “Mr. Schmidt Goes to Barney’s” on Page 44.)

Closely tied with the CSO’s personal image is a second level: how other business executives and their staffs view the security department and its leader. This perception is fundamental to any security awareness program and the key to selling any security initiative to the rest of the business. Michael Assante, CSO of American Electric Power, is candid about the kind of forethought that goes into this transformation. “I knew that image was going to be an important part of being able to have success,” says Assante, who two years ago became the first person at AEP to have control over both corporate and information security. “I overthought about everything.”

Assante concluded that he needed to distance himself from his military roots and incorporate himself into the business, as the leader of a new department called enterprise risk management. He does part of this through the way he dresses. (See “Secrets of Their Success,” Page 26.) But the strategy runs much deeper. “Yes, there’s a guard force component,” he says of the security department. “Yes, there’s a law enforcement component. But I’ve really worked to drive that out of our image. I make sure that when we talk to folks, we’re understanding their business processes. And then, when we sit down to talk about security exposures, we present a strong business case.” Assante thinks the approach has worked, because now people ask for his advice on other kinds of risks. If Schmidt is post-geek, then Assante is post-guard.

Finally, the third level of this transformation has to do with the way the corporation as a whole makes security part of its image. This is the endgame, the payoff, and we’re beginning to get therebut just barely. So far, in fact, most of the companies that are marketing their security (security vendors aside) are ones that have been forced to, such as Microsoft. (See “Security Sells,” Page 46, for more.)

Skeptics could argue that their actions are just lip service. There’s an entrenched mistrust in security of things that are done just for lookswhat author Bruce Schneier likes to call “security theater.” But we’re not talking about doing things because they look good. We’re talking about making things look as good as they are.

“Image is 100 percent important,” says Schneier, author of Beyond Fear and a prominent observer of the security industry’s evolution. “Otherwise you’re not listened to; you’re not taken seriously; you can’t get the budget. If you don’t deal with everything around the politics and socialization, you never get to the actual security.”

In other words, it’s not style over substance.

It’s substance, with style. *