Credibility Through Invisibility

Computerworld -

Who: Nancy J. Wong

Position: Deputy director of national outreach and awareness, U.S. Critical Infrastructure Assurance Office (CIAO), Washington

Education: Master's degree in finance, bachelor's degree in computer sciences and mathematics, University of California at Berkeley

Claims to fame:

• Led the national risk assessment team for the CIAO, results of which contributed to Presidential Decision Directive 63 on Protecting America's Infrastructure in 1998


• Developed curriculum for private sector and launched an outreach program that has raised security awareness among boards of directors at thousands of large businesses across the U.S.


• Ran San Francisco-based PG&E Corp.'s 900-person information infrastructure operations group with an $80 million annual budget, 1993-1996


• Named one of the "Top 100 Women in Computing" for 1996 by McGraw-Hill Publishing Companies.

Nancy Wong is one of those people who chooses to work quietly in the background. She's got good reason. In the early days at the Critical Infrastructure Assurance Office (CIAO), her personal credibility came under attack from the government and private sector, both of which she had been hired to bring together.

"On the one hand, I'd get questions like, 'How could she really understand critical infrastructure operations like electric power when she's just an information technologist?' " she explains. "On the other hand, I would get questions [like] 'How can she represent herself as knowledgeable about information security when she's spent her entire career in the electric industry?' Sometimes, you just can't win."

So Wong made herself invisible and gained credibility by aligning the CIAO with some of the most powerful business leadership organizations in the country, including the National Association of Corporate Directors, the Institute of Internal Auditors and business media conglomerates, not to mention state and local governments.

In so doing, Wong has fostered a strong atmosphere of trust and she has brought the corporate world to the table to discuss roles in infrastructure protection, says Howard Schmidt, co-chairman of the President's Critical Infrastructure Protection Board in Washington.

"You need to talk in a language that the business understands — policy, strategy and investment protection," says Wong, who's still on leave from her position as information asset and risk management officer at PG&E. "When you make security a business issue, it becomes integral to management and business practices of the organization."

The Security Sentinels: Backgrounder on Steel Magnolias The Security Sentinels Credibility Through Invisibility