Chief security officers run into hard times

Computerworld - The exodus began in December. Bruce Moulton, vice president of infrastructure risk management at Fidelity Investments in Boston, was let go. That same month, Steve Katz, chief security and privacy officer at Merrill Lynch & Co. in New York, accepted a buyout. And in April, shortly after his face appeared on the cover of CIO magazine, Michael Young, chief information security officer and principal privacy officer at State Street Global Advisors in Boston, lost his job in a company reshuffle.
The departure of these and other information security veterans from Fortune 500 companies reflects the beginning of turbulent times for chief security officers (CSO). Since Sept. 11, CSOs have faced new pressures to prove the value and effectiveness of their security measures, even as they struggle politically for legitimacy within their corporations and for support from the technology and business units they're trying to protect, say analysts.
"We're in a transition period, and the smart [CSOs] are getting out of the way," says David Foote, president and chief research officer at Foote Partners LLC, a management consultancy and IT job research firm in New Canaan, Conn. "They see the risks in trying to build in the next phase of security - moving from fragmented delivery of security technology to a coordinated, aggressive, well-conceived security program.
"They understand how long it takes to build attention and change the culture to make this next step, but they're not getting the support they need to brand and build this next level of security," says Foote, who is also a Computerworld columnist.
Uphill Battle
Corporate politics is the single biggest problem facing CSOs, according to some who hold such positions and industry analysts. Even though CSOs have attained a chief-level title, they report that they still generally lack enough power to be truly effective. And there's growing friction between the CSO, who usually has only a handful of people on staff, and the CIO, who has hundreds or, in some cases, thousands of people on staff, says John Pescatore, a security research analyst at Gartner Inc. in Stamford, Conn.
Because of these conflicts and the expanding role of information protection to encompass privacy, regulatory compliance and disaster recovery, firms genuinely don't know where to put the function of information security - if they have a formal management function at all, says Tracy Lenzner, CEO of executive security search firm Lenzner Group in Las Vegas. In fact, only 54% of 72 chief executives working for companies with at least $1 billion in annual revenues said