Leadership Lessons: CSO Compass Awards 2008

Edward AmorosoSenior VP and Chief Security Officer, AT&T

“Growing up in a computer science family got me exposed to some of the greatest minds of computer security at a young age. When I was little, my dad’s friend was Peter Neumann, one of the world’s greatest security engineers. If we had a Nobel Prize for computer security, he would have won it three times.These were extremely interesting people who were knowledgeable about everything, not just technology. They told the most interesting anecdotes, from the worlds of both art and science. I decided early on to be sort of like that. Similarly, Cliff Stoll was an astronomer before getting into security, and a lot of the good computer security experts are from different disciplines so they take a different view. Richard Feynman, a physicist, was breaking codes during the Manhattan Project, using techniques we now use to crack passwords. He was one of the world’s first hackers.”

Edward Amoroso serves as senior vice president and chief security officer for AT&T Services. His responsibilities include real-time protection of AT&T’s vast network and computing infrastructure; security policy, planning and architecture for AT&T’s enterprise; digital rights management and security support for AT&T’s IPTV and entertainment initiatives; and lead design, development and operations support for AT&T’s managed and network-based security services.Amoroso’s 22-year career at AT&T began at Bell Laboratories. “I was following my mom’s advice to join a company that wouldn’t change much,” he jokes. Computer science runs in the family—not only are his brother and sister also in the field, but his father was one of the first people in the world to receive a master’s degree and a PhD in computer science, at University of Pennsylvania.

While at AT&T, he began by working on securing the Unix operating system, as well as on numerous federal government security initiatives. More recently, he has championed AT&T’s network-based security strategy, centered around emerging in-the-cloud protection services such as Internet Protect and DDoS Defense.

Amoroso has authored research papers and four books on information security, including Cyber Security, which is written for mainstream readers. He holds MS and PhD degrees in computer science from the Stevens Institute of Technology and is a graduate of the Senior Executive Pro¬gram at the Columbia Business School. He has served as an adjunct professor in the computer science department at Stevens for the past 18 years. Over the years, he says, “it’s been an interesting evolution to watch security grow from being a niche player to something mainstream.”

Ron Baklarz

Director of Information Systems Security, MedStar Health Information Systems

“The single most significant factor is to understand your organization’s culture. For example, in the military sector, implementing security is much easier since it is ingrained in the culture. When you try the same approach in private sectors such as financial industries or health care, it is a much more difficult endeavor. Implementing security at the U.S. House of Representatives was particularly challenging, since it was equivalent to working with 435 CEOs.

“In any industry, my approach to implementing security has been to:

• Keep an even keel. In many cases, it doesn’t help to get too emotional especially when trying to implement security programs in an immature environment. Changing culture takes time.
• Be consistent. Users will constantly test you and your security program, so it is important to apply security in a consistent manner. Consistency sends a good, solid security message rather than a waffling one.
• Educate and communicate. Often, users may not like the security controls you are implementing, but if they are aware and educated, at least they may appreciate and understand what you are trying to accomplish.”

In his 20-plus years in the information security field, Ron Baklarz (CISSP, CISA, CISM, IAM, IEM) has developed information security programs for the Naval Nuclear Program, the U.S. House of Representatives, the American Red Cross and MedStar Health, where he is currently the HIPAA Security Officer. He has also led incident-response and monitoring teams for a variety of industries, including government, insurance, health care and Big Five consulting firms.

Baklarz’s security expertise spans policy development, incident handling and response, network intrusion detection, antivirus and network perimeter protections, cyber-related fraud investigations and computer forensics.

Baklarz holds a MS degree in information science and a Certificate of Advanced Study in telecommunications, both from the University of Pittsburgh, and is currently an adjunct professor at the University of Virginia. He writes articles and books, including The Art of Information Warfare.

Renee Guttmann

VP and Information Security and Privacy Officer, Time Warner

“Over the course of my career I have had to learn to work with many different kinds of people, including some who are directly confrontational. I was fortunate that the company helped me get a coach who recommended the book Crucial Conversations: Tools for Talking When Stakes Are High. It talks about working toward a common outcome and showing we care about each other’s goals.

I started to embrace difficult and challenging people. A lot of times they have great ideas but don’t know how to communicate them. Now, I seek out the rock throwers. They’ve often saved my bacon. I learned to recognize that they aren’t challenging me; they are challenging my role. It isn’t personal. That realization helped me to listen to the ideas they are trying to get across. We’re in this together; we want the same outcome.”

Renee Guttmann is vice president of information security and privacy officer at Time Warner. In her seven-plus years at Time Warner, she has worked to create the TW Enterprise Information Security and Privacy policy; define an enterprise privacy framework and strategy to support international privacy regulations and transborder data flows; and create an Enterprise Information Risk Management program.

In her nearly 20 years in information technology, she also worked at Glaxo Wellcome as a principal information security consultant, at Gartner as a senior research analyst and at Capital One Financial as an information security architect.

Gutmann holds an honors BA from Wilfrid Laurier University in Waterloo, Ontario, where she studied historical archaeology. The subject, she says, had a bearing on her choice of careers. In her last year of school, her professor recorded the class’s artifacts on a computer punch card, in order to produce maps of where everything was found. This piqued Gutmann’s interest in computers, leading her to obtain a computer programming diploma from Honeywell Institute in Toronto. She did some programming and end-user support work at Black & Decker, Honeywell and Xerox, where she also did some sales work. “That experience gives you incredible skills, because security is all about selling the mission and getting people to understand their risk or exposure, and the benefit of addressing that.”