Chief (in)security officer

Corporate pressures are putting the onus on security executives to show their programs are effective.

The exodus began in December. Bruce Moulton, vice president of infrastructure risk management at Fidelity Investments in Boston, was let go. That same month, Steve Katz, chief security and privacy officer at Merrill Lynch & Co. in New York, accepted a buyout. And in April, shortly after his face appeared on the cover of CIO magazine, Michael Young, chief information security officer and principal privacy officer at State Street Global Advisors in Boston, lost his job in a company reshuffle.

The departure of these and other information security veterans from Fortune 500 companies reflects the beginning of turbulent times for chief security officers (CSO). Since Sept. 11, CSOs have faced new pressures to prove the value and effectiveness of their security measures, even as they struggle politically for legitimacy within their corporations and for support from the technology and business units they're trying to protect, say analysts.

"We're in a transition period, and the smart [CSOs] are getting out of the way," says David Foote, president and chief research officer at Foote Partners LLC, a management consultancy and IT job research firm in New Canaan, Conn. "They see the risks in trying to build in the next phase of security - moving from fragmented delivery of security technology to a coordinated, aggressive, well-conceived security program.

"They understand how long it takes to build attention and change the culture to make this next step, but they're not getting the support they need to brand and build this next level of security," says Foote, who is also a Computerworld columnist.

Uphill Battle

Corporate politics is the single biggest problem facing CSOs, according to some who hold such positions and industry analysts. Even though CSOs have attained a chief-level title, they report that they still generally lack enough power to be truly effective. And there's growing friction between the CSO, who usually has only a handful of people on staff, and the CIO, who has hundreds or, in some cases, thousands of people on staff, says John Pescatore, a security research analyst at Gartner Inc. in Stamford, Conn.

Because of these conflicts and the expanding role of information protection to encompass privacy, regulatory compliance and disaster recovery, firms genuinely don't know where to put the function of information security - if they have a formal management function at all, says Tracy Lenzner, CEO of executive security search firm Lenzner Group in Las Vegas. In fact, only 54% of 72 chief executives working for companies with at least $1 billion in annual revenues said they have a CSO in place, according to a survey released in January by technology and strategy consulting firm Booz Allen & Hamilton Inc. in McLean, Va.

"Unfortunately, for many organizations I think that the executive-level positioning of CSOs will be heightened only when we're hit with a catastrophic event," Lenzner adds.

That's also the consensus among the unemployed and employed CSOs who were interviewed for this story, all of whom say information protection has always been an uphill battle because it's difficult to prove its value unless a catastrophe occurs. As such, CSOs lack the power to do more than set policies and put out fires, says a CSO from a Fortune 100 technology equipment manufacturer who asked to remain anonymous.

"The greatest threat we face is the belief of senior management that there is no threat. So we don't get funds, money or resources, and without those things, you can never address security threats and risks," says another security officer at a global financial firm who's planning his exit strategy and starting a consulting practice.

Young says he believes some of these problems can be lessened if CSOs get on board with business initiatives and competitive strategies more consistently. "As a whole, CSOs still express security in technical terms instead of business terms," he says.

Katz, Young and Moulton, however, all speak the language of business and have driven information risk management throughout their former organizations. (As for his business savvy, Moulton thinks he might have worked himself out of a job by integrating security ownership into the business units themselves.) Similarly, Katz looks at security from the standpoint of business enablement, adding that risk management methodologies are no different from other processes of building business risk models for nontechnical offerings.

Another view of this upheaval in security leadership is that Katz, Young and Moulton have completed their work of championing security. They have laid the critical groundwork by building consensus; establishing best practices and awareness; and preparing business and technology units for compliance, liability, security audits and procedural forensics investigations. Now Katz and Young are offering these start-up services to smaller companies and home offices through consulting businesses, a path Moulton says he might also take.

The next phase of information protection involves becoming more technical in focus, say analysts.

"In the past, we measured our success by telling about the programs we put in place and the policies we wrote. As we move forward, it's more about how well those policies are being implemented, how secure the systems are and what impact they're having," says Michael Ressler, director of security services at New York-based IT consulting firm Predictive Systems Inc. "And that means more technical background is needed for security management."

Booz Allen's survey cites three areas that chief executives are more focused on since Sept. 11:

• 75% of respondents said they're more concerned with infrastructure protection.

• 71% said they're more concerned with risk assessment.

• 69% said they're concerned about employee morale. At one Fortune 100 technology manufacturer, low morale is already translating into abuses by employees, according to its CSO, who says pornography Web surfing at the company is up 40%.

If Katz's replacement is any indication, some firms are already catching on to this more technical focus. Merrill Lynch's new chief of security and privacy, David Bauer, has a highly technical background, as he was in charge of network management and engineering, including security engineering, at Morgan Stanley Dean Witter & Co. and then at Deutsche Bank.

But even with the best technology project management and business skills, these new technobusiness/ security hybrids will run into all the same empowerment problems as their forerunners, says Thornton May, a senior member of executive advisory firm Toffler Associates Inc. in Manchester, Mass., and a Computerworld columnist. To survive this upheaval, security executives must be strong in business and technology, he adds.

"Security professionals will need to understand the lingua franca of business, which is accounting," he says. "They also have to be able to understand how the network works, how the application works and how the hardware works if they're to mobilize the security organization. Then they need to align their security strategy to where the business is going and tone their architecture and deployment to fit the financial plan of the company."

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon