The 2005 CSO Compass Awards: Direction Setters

They are the power brokers of the security industry. These six leaders from the public and the private sectors are writing the security industry’s next chapter—in their own organizations and in the business world. They are the CSO Compass Award honorees, chosen for their leadership in the field and their track records in the profession. We asked each of them what they see as the necessary critical success factors to promote security in their organizations and to share their visions for raising the security executive’s profile.

Regis Becker

Global director, security and compliance, PPG Industries, Pittsburgh; former president and chairman of ASIS International; External Relations Committee, ISMA

Why chosen: Known in security circles as “human infrastructure,” Becker serves as the liaison between the smaller, exclusive ISMA and the larger, education-focused ASIS International.

Winning trait: Becker is well-known and highly regarded in the security industry as a resource for information and expertise.

Wisdom: “What we do [in security roles] is very important. But at the end of the day, we’re trying to enhance our clients’ mission. Look at what they’re trying to accomplish as a business and fit security measures, policies and guidelines into the business strategy.”

Critical success factor for the future: “The convergence of the enterprise risk portfolio. I think risk management is taking on a much broader meaning in some companies, with some having chief risk officers. What’s really involved is internal audit, treasury operations that buy insurance, corporate security, environmental health and safety, the law department; these are all risk areas. One of the trends we’re seeing is that companies are considering these on a holistic basisone person or a team of people looking overall at the risks. We’re not siloing those risks anymore, and our mitigation strategies aren’t siloed either.”

David Burrill

Head of group security, British American Tobacco, London

Why chosen: In 2002, Burrill produced the largest-ever worldwide security cost-benefit analysis for his company. He found that the analysis process proved the value of security by showing that it added to the bottom line. He went on to devise a 10-year strategic plan for his security group.

Winning trait: Well-regarded by his security peers, Burrill sets the bar for strategic thinking on security within an organization.

Wisdom: “Corporate security is to companies what national security is to nations. Once that is understood, the function can never be looked at in a narrow way again.”

Critical success factors for the future: “The security function must be included in the company business planning process for each year, and for long-term strategic purposes, from outset to conclusion. If it is not, it is a second- or lower-grade runner.

“Security should be involved in all major company projects from the outset, which means that the CSO should be a ‘permanent insider.’ If not, it is both a reflection of the perception held of him or her and guarantees that some opportunities to add value to the company will be missed.”

Richard Lefler

Managing partner, Business Security Advisory Group, Phoenix; retired VP and director of corporate security, American Express

Why chosen: During his tenure at American Express, Lefler established himself as a leader among Global 500 security executives as a member of ISMA. He also raised awareness of cyberthreats and their potential effect on every enterprise, demonstrating foresight and understanding of the intersection of physical and digital security.

Winning trait: Lefler is transforming the image of the CSO from somebody who’s contacted when something goes wrong to a strategy-generating executive role.

Wisdom: “The biggest challenge for security officers in large companies is the degree of interoperability and interdependence on most of our critical infrastructure.”

Critical success factors for the future: “CSOs need to think about how to use technology and available research to minimize the cost of improving security so that the company and its customers, employees and investments can be protected at higher levels for the same or lower costs. You can’t simply increase the cost of security and believe you can pass that through your board without having an impact on your sales and revenue. To do that, companies have to be willing to hire good professional security directors and allow them the latitude to work with the government and the education sectors to find solutions.”

Peter G. Neumann

Principal scientist, Principal Systems Group, Computer Science Laboratory at SRI International, Menlo Park, Calif.

Why chosen: When it comes to information security risks, Neumann stands light-years ahead of the curve. Since the mid-1970s, he has chronicled computer systems and software failures in his newsletters and on his website. He has briefed Congress and private enterprises on computer-related risks.

Winning trait: Neumann isn’t afraid to stand up to lawmakers and take them to task on information security issues. “I think the government has been extremely shortsighted. I think the reason Richard Clarke is no longer involved in the government is because nobody wanted to pay attention to him. I’ve had a similar role; in all my testimonies to the House and Senate on the subject, I have repeatedly said that things are getting worse. The bottom line is the government is not doing its job.”

Wisdom: “The critical infrastructures are riddled with security flaws. Corporations that rely so heavily on computers are not recognizing the threats that are confronting them.”

Critical success factors for the future: “[Government and business] tend to pay most attention to the easy problems and completely ignore the hard ones. It’s the hard ones that keep biting us, and we’re not doing anything about it. The [issues of] computer security, reliability, availability and survivability are absolutely fundamental. For the most part, the mass-market software we’re dealing with is not adequately addressing [those issues]. Then, we must educate the population about the risks of using the Internet and the precautions that must be taken.”

Rhonda MacLean

Senior vp and CISO, Bank of America, Charlotte, N.C.

Why chosen: Under MacLean’s leadership, Bank of America was a founding member of the Financial Services Information Security and Analysis Center and a financial services testing laboratory. A promoter of information sharing and public-private-sector partnerships, she has a national voice in the information security industry.

Winning trait: MacLean served for many years in the industry’s most important associations, groups and think tanks, including an appointment in 2002 by the Secretary of Treasury to serve as the sector coordinator and chairwoman of the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security.

Wisdom: “Computing is a shared responsibility. That means that all users need to practice safe computing.”

Critical success factors for the future: “I’d like to see us really get some focus and traction around the ability to scale, and do what I would call federated authentication and identity management. It’s being able to authenticate that you truly know who you’re doing business with. That’s not just on the customer side; that’s also on the institution side, making sure you are where you think you are. In the physical world, we’re very used to being wary of scams. [Lately] we’ve seen such an emergence on the electronic side, that really keeping in front of that is something we have to be focused on. [We must also] continue to layer on controls. It’s not just about the silver bullet.”

Howard Schmidt

Chief security strategist, U.S. Computer Emergency Readiness Team; chief security strategist, eBay; Former White House cybersecurity adviser; special agent, U.S. Army CID, Computer Crime Investigations Unit (Reserves)

Why chosen: In a career divided between public service and private industry, Schmidt has made tremendous contributions to improving security policies and procedures. He has advanced public awareness of infosecurity and interconnectedness in the security community.

Winning trait: Schmidt inspires security executives to put aside competitive differences and work together toward a common goal of cybersecurity.

Wisdom: “None of us are in this alone. The security industry, collectively, has been making the difference.”

Critical success factors for the future: “We need to continue to move enterprise security through small and medium enterprises, as well as the consumer space. We need to establish an international dialogue on identity management so that we can discuss how to authenticate who we are in an environment where you’re not physically present. Those are things we’ve just started to discuss and see the benefits of. We’re also starting to see identity management in the online world become more robust.”