New Security Leadership: The Basics

September 11 profoundly changed the public perception of national security; the Enron accounting scandal and a rash of similar scams alerted us to widespread deficiencies in corporate governance, accountability and ethics. But every security leader knows that as time passes after any incident – no matter how demonstrative – corporate concern for the issues brought to light by that incident tends to wane.

Maintaining the right level of boardroom and employee awareness (and therefore, frankly, security budget) is a consequence of leadership. And more effective ideas and tactics are replacing the old, reactive security leadership paradigm. Below, CSO looks at what’s Out and what’s In

OUT: FUD

FUD stands for fear, uncertainty and doubt, and it’s long been a crutch that security leaders lean on to get the budgets they need. Whether the Board seemed reluctant to spend money on firewalls or on surveillance cameras, the convenient solution was to scare them into funding everything by pulling out an anecdote about What Happened to the Company Down the Road.

In the long run, however, the tactic of exploiting FUD almost always does more damage than good. Security executives and management experts agree that FUD ultimately destroys the security team’s credibility. “That [approach] may work once or twice in a true crisis situation where the bad guys have come over the back fence,” says Jim Mecsics, vice president of corporate security for Equifax. “But when you approach corporate officers with the tactics of fear, you’re walking into a trap. Somebody will eventually say, ‘OK, show me where the real [emergency] is,’ and then your credibility is shot.” FUD is a particularly common tactic in the lower ranks of a security organization, especially among those who haven’t learned how to make a data-driven risk management argument. A CSO who doesn’t stamp out FUD in his team creates as much of a problem as the CSO who uses it in personal conversations with senior executives.

Mecsics has the stories that prove the point. Just after 9/11, he was working with a government organization that decided it needed to radically increase its manpower to cope with the concerns over terrorist threats. The organization set up a conference, and hastily gathered input from all its field agents to take to the senior leadership. Instead of research and risk analysis, many of the agents’ arguments were based on guesswork and were rooted in the fear and uncertainty of Sept. 11. Mecsics says the organization’s management started asking questions and quickly saw through the panic the security personnel were creating. The net result was that the security team lost its credibility. In another organization, Mecsics says, senior executives were so frightened by the security group’s use of scare tactics that they became obsessed with concerns that the company would be irreparably harmed by a security event. In this case, they lost the ability to look at the issue rationally. “They got worked into such a frenzy that it was like a runaway train,” says Mecsics.

FUD also wastes money by not spending it well. When CSOs buy and implement a security initiative based on fear, they’ll have a much harder time managing and assessing it based on merit and actual results.

(To learn more, read “The FUD Factor” by Daintry Duffy.)

IN: Metrics and ROSI

Like it or not, the corporation is generally managed by the numbers.

Eventually, security will be almost completely metrics-driven. A reliance on metrics is, after all, the mark of a mature corporate function. Most security executives already need to develop, cull and otherwise employ risk analysis metrics and benchmarks. And experts say those leaders should devote considerably more financial resources to developing benchmarks than they do already.

“The ISO is going to the CEO saying there’s a chance something bad, and possibly something embarrassing, could happen,” says Alan Paller, director of research at SANS Institute. “But how much of a chance, the ISO doesn’t know. And if he spends this kind of money, he can reduce the risk, but by how much he doesn’t know. There is simply not enough data. Every other C-level executive does better than that and takes on the responsibility for defining the risk. Here, the CISO is putting the responsibility on the CEO. The CEO doesn’t want it, and eventually he won’t take it.”

So forget FUD, and start learning how to demonstrate the value of your ideas using metrics and, especially, ROSI (return on security investments). This is an approach that infosecurity pros have been slow to adopt, although it is clearly valuable. Economist Frank Bernhard’s research, for example, shows about six cents of every revenue dollar is at risk because of a lack of information security, but many companies spend barely a dime of their IT dollar on security.

“I’m not sure why IT tends to disregard these tools,” says Bob Jacobson, president of International Security Technology (IST), a private company that consults on matters of security risk assessment. “It’s a bit frustrating to keep hearing that you can’t do it accurately. That is not true. The tools are there. Nuclear uses them. Pharma uses them. The whole world has used ROI in security for a long time. [CSOs] have an opportunity to make a major contribution in their organization if they have the willingness to learn this.”

ROSI is rarely easy. It requires legwork, and lots of it. As you begin, it’s helpful to keep in mind that precise measurements are not necessarily the goal. “This is a classic problem that technologists have,” says Kevin Soo Hoo, a researcher at the security consultancy @Stake. “They don’t understand that you can make rough guesses to work out a problem. We dive into an ROSI study, and the engineers are focused on the minutiae and want to argue for days whether some variable should be .6 or .55. It doesn’t matter.”

With ROSI, as with all risk assessment, the goal is accuracy, which is not at all the same thing as precision. The point is to provide a set of guiding principles from which you, your CEO and CFO can make more informed decisions about what’s acceptable. In other words, the CEO doesn’t (or shouldn’t) care if a return is precisely $3.13 for every $1 spent or $2.97. He cares that it’s accurate to suggest about a 3-to-1 return, and not a 1-to-1 return or, worse, a 1-to-3 return.

(For a more complete explanation, plus formulas and sample ROSI calculations, see “Calculated Risk,” by Scott Berinato.)

OUT: Blame games and fall guys

When a breach occurs, the CSO frequently takes the blame. Sometimes, he is fired. What’s wrong with that?

In a word, plenty. If you’re the fall guy (or if your security group is) for every incident, then chances are good that you’ve taken the wrong position in your company’s security decision-making process. Most common mistake: Setting up the CSO as the one who makes the final call.

(Gavin de Becker, Hollywoods de facto CSO, offers advice on this topic in an interview with Sarah Scalet.)

IN: Risk management and shared accountability

Even on security matters, the final call should not be yours. The final call belongs to the CEO, president, and board of directors – those who are directly accountable for shareholder value.

The right answer to “what is security supposed to do?” (as Paller alluded to in the “Metrics and ROSI” section, above) is this: Security is supposed to educate the business leaders about the threats the organization faces, about the likelihood and consequences of those threats, and about the costs and effectiveness of possible remedies. Then the business leaders make the decisions on acceptable risk.

Craig Granger, head of multinational security for the automotive company Delphi, offers a good case study in raising an organization’s security IQ. Part of the battle is fought in the field-pressing the flesh with execs, developing an omnipresent security policy and educating every employee on process management. Granger speaks at business group meetings and consults with Delphi’s executive officers. He attends strategy meetings with top execs and governance board meetings with his vice president and regional and divisional CIOs, and he mandates that all new employees take a security course and undergo training.

When Granger first arrived at Delphi, he laid out a charter detailing the differences between his responsibilities and those of corporate.

Granger says his charter, which defined the global security policy at Delphi, was well received. Since then, says Granger, considerable effort has been spent spreading a “strong infosec policy that’s published everywhere. Here, people can’t say that they aren’t aware of the policy,” he says. “The charter has greatly enhanced our visibility and security awareness here. They know who we are.”

But it’s not solely about getting the word out, says Granger. It’s how you speak the word and how it’s received. Often, it comes down to developing trust with your peers, which lets them, in turn, feel more comfortable shouldering some of the accountability burden.

Process management, with a clearly defined, easy-to-follow set of guidelines for handling security matters, is another way CSOs can manage accountability. Process management can reinforce the fact that security is not a one-group function. Moreover, its linkage to a business context-its embeddedness within enterprise business processes-suggests that other players are ultimately accountable as well. At Nortel Networks, Vice President of Corporate Security and Systems Timothy Williams, tries to involve as many different functions in his security process as possible. Williams works with members from various cross-functional groups-with internal audit and the insurance group, for example. He also breaks his security process into three core elements: risk assessment, enterprise-wide collaboration and strategic planning. Williams staffs his department with people who come from a variety of areas-systems security engineers, of course, and global thinkers, a leadership team with MBAs, and subject-matter experts who can “cut across security and think in terms of the whole organization,” he says. As part of the process, he and his team continually assess and reassess all of their client groups’ needs and vulnerabilities. They use eight matrices in looking at each operational area, whether it is a new proposal or a system overhaul. “I own the process,” Williams says confidently. “There are a number of processes here that have my team’s signature on them.” But, he and other CSOs add, all security processes should always have the business execs’ signatures on them as well.

Getting past the Fall Guy Syndrome boils down to good policies, good process management and constant corporate education.

OUT: Tech talk and copspeak

A not-so-secret secret: Many executives think security chiefs have a bad attitude. And we’re not just talking about information security officers. Traditional, corporate security executives are saddled with a bad rep. It’s time to learn what it means when a CEO, after eliminating the CSO or CISO, says, “There was just something about him that didn’t fit with the organization.”

The physical security chief, according to stereotype, is a rigid and dogmatic “top cop” who has an “arrest” mentality and is a no-man as opposed to a yes-man.

The information security executive comes across as an arrogant know-it-all who is whiny, defensive, uncooperative and doesn’t try to work with others because, how could anyone but he possibly understand the technical challenges he faces?

Not valid? So what. Unfair? Stop whining. In fact, the security executive who raises a stink because of these preconceptions actually feeds the preconceptions. “We had one CSO candidate for a Fortune 500 not get the job,” says recruiter Tracy Lenzner. “And he-I can hardly explain it, but it was so telling-lashed out about how the company didn’t know anything. He was angry. He was like a child that didn’t get his way.”

(Want to learn more about moving past these stereotypes? Read our special Image issue, starting with the introduction, “Show Time for Security.”)

Former CISO Stephen Northcutt believes the attitude comes from the likelihood that many candidates for CISO positions are underqualified. “They are stressed out, secretive, edgy and defensive because they don’t have the understanding or mastery of tools they need,” he says.

As a result, those candidates fall back on old habits such as – always using highly obscure explanations of technology, or aways having a negative reaction to any risky or unorthodox business propositions. Those forms of communication don’t fly in the boardroom.

IN: Business language and communication skills

When James Christiansen came to GM from Visa, where he was also head of security, he found the move from financial services to manufacturing to be a jolting transition. “You speak a different language, you look different and you dress different.” So Christiansen did two things: He signed up for classes on the workings of the auto industry, and he made a point of doing a lot more listening than talking.

In learning about GM, Christiansen had to glean the intricacies of four very different business areas: manufacturing, GMAC (GM’s financial services division), OnStar (the onboard satellite communications system) and the defense industry, with which GM works closely. But immersing himself in the business was a necessary step for Christiansen to be able to communicate with the company’s business line executives. “Everything I bring them is cost additive, and that can create a natural conflict,” says Christiansen. “I need to be able to show the bang for the buck, the ROI per dollar and how I’m going to help them solve business problems.” None of that can be achieved without a keen understanding of the business and the recognition that the CSO’s role is to enable business success in an appropriately secure context. To combat the perception that security is divorced from the business world, Bill Boni, Motorola’s CISO, has even gone so far as to shun the usual moniker, “IT security” in favor of the more business-friendly title, “information protection.” The goal is to position the department as the protector of information assets in all forms, whether it’s customer data housed in a server or confidential contracts in a sheaf of papers.

Talking in business terms with executives can also be a tremendous asset in advancing the CSO’s agenda, which is often bogged down by the perception that it’s too technical for business executives to understand. “I’ve seen too many information security practitioners fall short in their role because what they really love is the technology,” says Boni. “They open with the technology dimension, go into technical detail, and by the time they get to the part where the executives’ insight, experience and judgment can be engaged, the executives are already disengaged. The executives conclude that security is at a level that’s inappropriate for their consideration.”

As the old saw goes: It’s not just what you say, but how you say it. So practice your delivery. As anyone who’s ever been to a security conference knows, speeches about security can be deadly dull. Faced with the challenge of having to communicate about security to large groups both inside and outside his company, Bill Hancock, CSO of Exodus (which later became the US base of Cable & Wireless), took the unusual step of enrolling himself in a stand-up comedy course to improve his communication skills. The final project for the class was a performance of an actual stand-up routine at The Improv, New York City’s renowned comedy club, on a Friday night. “It was one of the most horrifying experiences I think I’ve ever been through,” says Hancock. “You get up in front of an audience, half the people there are probably inebriated in some fashion, and you’ve got to communicate what you have to say very quickly, very succinctly and to a whole bunch of people that don’t know you from nobody.” The lesson here is not that CSOs need to be honing their comic routines, but rather that life is full of tough audiences. When dealing with a weighty topic like security, it’s important to focus on how you communicate as well as what you communicate.

Building and maintaining strong relationships with business executives and their groups requires the CSO to assume a number of different guises: educator, strategist, negotiator, interpreter and, sometimes, disciplinarian. Oracle’s CSO Mary Ann Davidson has one last morsel of advice for CSOs interested in smoothing their way with other executives and the company at large. “People ought to be thanked for doing their job more often,” she says, noting that CSOs will find more cooperation if they ask for it politely and show their appreciation, instead of barking out orders and throwing their weight around. “Business is personal,” Davidson says. “It’s not being manipulative, it’s just that you catch more flies with honey.”

OUT: Silos

Information security in one stovepipe, corporate in another, audit staring suspiciously from across the hall, disaster recovery handled by the facilities group… you know the usual drill. Security functions have a history of fragmented organization. “Each of these departments’ main mission is ‘to protect company assets;’ however, each usually reports through a different hierarchy,” one privacy and IT security manager puts it. “It makes no sense.”

Historically, the greatest chasm – not just organizationally, but culturally as well – laid between information security folks and their corporate security counterparts. Each side has a list of perjorative ways to describe the other’s profession and professionals (propellerheads vs. knuckledraggers, etcetera).

IN: Holistic security

Enough squabbling already. Disjointed management and lack of communication leads to a weaker security posture and wasted money due to duplicated efforts.

“The truly sophisticated companies are starting to look at a coordinated approach to physical security, information security and risk management,” says Lance Wright, principal at the Boyden Global Executive Search company.

Consider these specific areas where holistic security management pays off:

–Business continuity Mike Hager, who helped get OppenheimerFunds up and running four hours after their offices and systems at the World Trade Center were destroyed on 9/11, puts it best: “Some companies have people who do information security, and people who do physical security, and people who do business continuity. The three people may come up with three separate answers about what to protect. If you have a total protection program, you can save a lot of time, money and effort. It just simplifies the whole process and makes it more effective.”

–Hiring and firing When an employee comes on board, she may need a number of assets and rights before she becomes productive& a building access card, a laptop, a network password with access to the right applications, a signed non-disclosure agreement, a business credit card, a company car. Some of these are physical and some are digital. In a company with a well-managed, holistic hiring process, that employee can be up to speed in a jiffy. Conversely, a company with disjointed access management can expect a much longer ramp-up time. That’s lost money. And if the employee is abruptly terminated, the poorly managed company stands very little chance of recovering all its assets and disabling all necessary access rights in a timely manner.

–Intellectual property protection IP (patents, ideas, classified research) is stored in many forms, from data on the corporate network, to CAD printouts in the trash can, to drawings on the whiteboard in the graphics department. Losing that proprietary information can cripple a company competitively. Bill Boni, CISO of Motorola and a former Army intelligence officer, notes that the only way to protect intellectual property from threats inside and outside the company is by interconnecting all the necessary defensive measures – logical, physical, legal and otherwise.

–Regulatory compliance Sarbanes-Oxley says the Board of Directors has a fiduciary responsibility to know what risks its business faces. Who’s going to give them an accurate picture if no one has visibility across all security domains?

–Coordinated access management It’s midnight, and the network control center notes that the CEO just logged on to her office workstation. Problem is, the building access card system notes that the CEO left the building five hours ago. If the network and building access controls were coordinated, the night watchman would know he needs to take a stroll down the hall and see who’s sitting at the CEO’s desk and using her account.

The most obvious way to manage security holisitically is to put make one person responsible – a CSO. But even in companies where that’s impractical, creating new lines of communication and knocking down formerly adversarial relationships is a must.

(For more about the benefits of holistic security, read “Convergence: The Pain & The Payoff” from our special report on convergence.)

Compiled from CSO Magazine and CSOonline.com. Contributing writers include Scott Berinato, Daintry Duffy, Sarah Scalet, Tom Wailgum and Malcolm Wheatley. Send feedback to Executive Editor Derek Slater at dslater@cxo.com.

Further Reading

Selected leadership profiles from CSO Magazine:

Undercover

Want to hear about security leadership straight from the source? Read the latest Undercover, a monthly column written by an anonymous CSO.

Security 2.0

What does it take to bring together information security and physical security? One secret is to sneak up on it, the way Constellation Energy did, by seeming to be doing something else entirely. Read more about how John Petruzzi, director of enterprise security, is leading the transformation.

Secrets of Their Success

It takes more than knowledge and experience to excel. Five top CSOs share their tips for putting forward a positive messagein appearance, word and deed. Hear from American Electric Powers Michael Assante, the Bank of Americas Rhonda MacLean and others.

Goal-Line Stand

Anything can happen at a football game. But Milton Ahlerich, the NFLs VP of security, has sworn to make it safe for players and fans alike.

Safe Harbor

From Boston’s Logan Airport to the city’s waterfront shipping facilities, CSO Dennis Treece patrols an anxious perimeter.

Called to Account

Some security executives see protecting their company’s assets as a way to earn a living. ABN Amro’s CISO Sharon O’Bryan sees it as her mission.

The Architect

Imagine being able to layer security into your building the way you do the plumbing or wiring. Genzyme’s Dave Kent doesn’t have to imagine it-he got to do it.

It’s a Small World

Bob Littlejohn heads up Avon’s worldwide effort to keep the business up and running and the employees safe.

The Human Touch

GWU’s information security officer Krizi Trivisani focuses on the softer skills-like communicating with students and administrators-to help her battle real-life villains.