• United States



A CSO’s First 100 Days On the Job

Dec 01, 20064 mins
CareersIT JobsIT Strategy

The CSO of IndyMac Bank shares his aggressive to-do list for his first 100 days on the job

  • Get an early win. I wanted to make sure I plucked a low-hanging fruit at

    IndyMac in order to quickly demonstrate security’s value. My first win here was complex passwords.

    There was worry about increased help desk calls and passwords ending up on stickies. It took some

    hand-holding. But they’ve accepted the reality that when you don’t have the complex password

    requirement, employees will create six-character passwords that are all the same letter. And that’s not

    secure. Within about 30 days, I had complex passwords implemented and enforced.

  • Share security status. Another early change was to put our security status

    report on a shared network. Any team member can go in and look at it. Some can update it. I review it

    weekly and present the status to the executive VP of technology every other week.

  • Adjust commuting habits. My commute is longer here than at my previous job.

    I’ve learned a good use of that time is to download news and business podcasts so I can listen on the

    way to and from work.

  • Create an overarching project plan. By far the most complex task I’ve taken on

    so far is developing the enterprise security and privacy strategy. The reason it’s so complex is it

    comprises physical security, IT security, business continuity, compliance and privacy; it has to talk

    about the business drivers and has to be flexible enough to adapt to the bank’s future vision. I’m

    comfortable with what we’ve produced. What I really need is the next item.

  • Executive committee buy-in on ­project plan. Cross your fingers.
  • Move physical security staff. We’re putting the physical and IT security folks on

    the same floor. How’s that for convergence? Another convergence-minded step we’ve taken: joint status

    meetings. We’ll get crisis management, emergency response working directly with the technology

    recovery group. They’ve got to talk. There’s still some cliquishness, so in the meetings I’ll bring up

    topics of common interest—for example, access management. They all have a stake in that.

  • Change perception of physical security. We need to do some marketing here.

    Once the strategy is approved, I’d like to take it on a road show with management and highlight the

    advantages of integrating physical and IT security, thus creating a “one-stop shop” for security.

  • Dress down. I’m getting close to checking this one off. I came from a

    background where you wear suits every day. Here, we have casual work clothes, that includes the

    option to wear golf shorts. It felt different the first few days. As funny as it sounds, it’s an adjustment

    for me.

  • Revamp our asset classification policy. Before, data and assets were either

    confidential or not confidential. I requested a third classification, “personally identifiable information.” I

    think some folks were worried three would turn into four would turn into 10 would turn into 400. So I

    waved the regulatory wand and said, If we stay at two classifications, we’re going to have to encrypt

    everything under the sun. This way, we can encrypt a subset of information. So we created a working

    group to set the policy, developed standards and now have a policy with three classes of assets.

  • Streamline policies. Despite the fact that we revamped that one policy, overall

    we have way too many security policies. That happens when you work tactically, ad hoc. Something

    comes up and someone develops a policy regarding that specific incident. Soon enough, you have all

    these policies and the only people reading all of them are internal audit. I want to develop a simple,

    flexible security policy that follows the ISO framework.

  • Balance tactical and strategic. When I got here, security was 100 percent

    tactical. I want to bring that down to about 40 percent. I’ll do it by creating a strategy/architecture


  • Rate all facilities’ security controls. We’ve created gold and silver ratings for all

    of our facilities. The next step will be to determine which facilities need to upgrade controls like

    mantraps, surveillance and so forth.

  • Rehabilitate the reputation of the security group. The main issue is people

    need to think of security as an enabler of future business and a market differentiator. To do this my

    team should work on projects that are forward-thinking while addressing present control concerns.