A CSO’s First 100 Days On the Job

IndyMac in order to quickly demonstrate security’s value. My first win here was complex passwords.

There was worry about increased help desk calls and passwords ending up on stickies. It took some

hand-holding. But they’ve accepted the reality that when you don’t have the complex password

requirement, employees will create six-character passwords that are all the same letter. And that’s not

secure. Within about 30 days, I had complex passwords implemented and enforced.

report on a shared network. Any team member can go in and look at it. Some can update it. I review it

weekly and present the status to the executive VP of technology every other week.

I’ve learned a good use of that time is to download news and business podcasts so I can listen on the

way to and from work.

so far is developing the enterprise security and privacy strategy. The reason it’s so complex is it

comprises physical security, IT security, business continuity, compliance and privacy; it has to talk

about the business drivers and has to be flexible enough to adapt to the bank’s future vision. I’m

comfortable with what we’ve produced. What I really need is the next item.

the same floor. How’s that for convergence? Another convergence-minded step we’ve taken: joint status

meetings. We’ll get crisis management, emergency response working directly with the technology

recovery group. They’ve got to talk. There’s still some cliquishness, so in the meetings I’ll bring up

topics of common interest—for example, access management. They all have a stake in that.

Once the strategy is approved, I’d like to take it on a road show with management and highlight the

advantages of integrating physical and IT security, thus creating a “one-stop shop” for security.

background where you wear suits every day. Here, we have casual work clothes, that includes the

option to wear golf shorts. It felt different the first few days. As funny as it sounds, it’s an adjustment

for me.

confidential or not confidential. I requested a third classification, “personally identifiable information.” I

think some folks were worried three would turn into four would turn into 10 would turn into 400. So I

waved the regulatory wand and said, If we stay at two classifications, we’re going to have to encrypt

everything under the sun. This way, we can encrypt a subset of information. So we created a working

group to set the policy, developed standards and now have a policy with three classes of assets.

we have way too many security policies. That happens when you work tactically, ad hoc. Something

comes up and someone develops a policy regarding that specific incident. Soon enough, you have all

these policies and the only people reading all of them are internal audit. I want to develop a simple,

flexible security policy that follows the ISO framework.

tactical. I want to bring that down to about 40 percent. I’ll do it by creating a strategy/architecture

group.

of our facilities. The next step will be to determine which facilities need to upgrade controls like

mantraps, surveillance and so forth.

need to think of security as an enabler of future business and a market differentiator. To do this my

team should work on projects that are forward-thinking while addressing present control concerns.

li>