Managing Security Risk

Computerworld - Like an army under attack, most companies today find themselves surrounded by a growing number of threats, vulnerabilities and regulatory challenges. But the most successful and secure organizations are finding that in a world of limitless technology choices, the leadership abilities of their CIOs and chief information security officers are what make the difference.
David Jordan knows what it's like to be a wartime security leader. For the past two years, the CISO for the Arlington County Government in Virginia has had to deal with the ballooning security needs of federal intelligence agencies, the Pentagon, Reagan Washington National Airport and 3,500 county employees.
"I started the way a lot of people start, and that is with no staff and no budget," says Jordan. Prior to the Sept. 11 terrorist attacks, the county's IT security department had "no plan, no program and no buy-in," he recalls. "So we're talking about being creative and having to teach the technology leadership and agency department heads a lot about security."
But Arlington County's fortunes have changed in the two years since Jordan became CISO. Most notably home to Arlington National Cemetery and the Pentagon, the county not only has a plan and a program, but Jordan also personally ensures that there's buy-in and, more important, an understanding of security needs up and down the chain of command.
"Every new employee in the county gets to meet me," says Jordan, adding that the nation's most densely populated jurisdiction but smallest county by land area doesn't have a full-time IT security staff. "I consider every employee a staff member," he says. As such, he empowers them to take ownership of security.
"I can handle securing the network, but if I can hook them in by teaching them how to lessen their pain when something happens, I can make cybersecurity an effective skill that's useful in their personal lives as well," he says.
Jordan's approach is also having an effect up the chain of command. "I have an agreement with the chief operating officer that if things look really ugly, I pull the pipe," he says. "I don't have to ask."
Command and Control
That's the same kind of balance that David Bauer, Merrill Lynch & Co.'s first vice president and chief information security and privacy officer, has to contend with. "Now the [security] leadership has to have both kinds of expertise," says Bauer, referring to the ability to both link regulatory requirements to IT actions and programs as well as command daily security efforts.
"In the