On-the-job Hazards: Security

These guardians of the gate have found ways to effectively lock down their companies against ever-increasing threats.

Like an army under attack, most companies today find themselves surrounded by a growing number of threats, vulnerabilities and regulatory challenges. But the most successful and secure organizations are finding that in a world of limitless technology choices, the leadership abilities of their CIOs and chief information security officers are what make the difference.

David Jordan knows what it's like to be a wartime security leader. For the past two years, the CISO for the Arlington County Government in Virginia has had to deal with the ballooning security needs of federal intelligence agencies, the Pentagon, Reagan Washington National Airport and 3,500 county employees.

"I started the way a lot of people start, and that is with no staff and no budget," says Jordan. Prior to the Sept. 11 terrorist attacks, the county's IT security department had "no plan, no program and no buy-in," he recalls. "So we're talking about being creative and having to teach the technology leadership and agency department heads a lot about security."

But Arlington County's fortunes have changed in the two years since Jordan became CISO. Most notably home to Arlington National Cemetery and the Pentagon, the county not only has a plan and a program, but Jordan also personally ensures that there's buy-in and, more important, an understanding of security needs up and down the chain of command.

"Every new employee in the county gets to meet me," says Jordan, adding that the nation's most densely populated jurisdiction but smallest county by land area doesn't have a full-time IT security staff. "I consider every employee a staff member," he says. As such, he empowers them to take ownership of security.

"I can handle securing the network, but if I can hook them in by teaching them how to lessen their pain when something happens, I can make cybersecurity an effective skill that's useful in their personal lives as well," he says.

Jordan's approach is also having an effect up the chain of command. "I have an agreement with the chief operating officer that if things look really ugly, I pull the pipe," he says. "I don't have to ask."

Command and Control

That's the same kind of balance that David Bauer, Merrill Lynch & Co.'s first vice president and chief information security and privacy officer, has to contend with. "Now the [security] leadership has to have both kinds of expertise," says Bauer, referring to the ability to both link regulatory requirements to IT actions and programs as well as command daily security efforts.

"In the past, the security team was like an auditor," he says. "Now they're more visible. You're expected to have at your fingertips at all times what's going on in the world and the state of your defenses. It's like being a national security adviser. It's no longer accepted to say, 'I'll get back to you on that.' "

How does Bauer do it? "I make decisions, to prevent apathy from developing," he says. "I coach, to ensure play is crisp and focused. I learn, so that I can understand what's new and avoid mandates. ... And I provide air cover, so that the team can develop ideas and bring the good ones to fruition."

Providing air cover is something that John M. Gilligan is familiar with. In fact, one of his first jobs as the CIO of the U.S. Air Force was to find a way to modernize a complex system of networks used to manage military forces around the world. The IT acquisition and fielding efforts for that program alone cost $100 million per year. Today he oversees a multibillion IT program -- many times larger than even the biggest corporate enterprises.

But in an organization as large as that of the Air Force -- with 110 bases, 500,000 users and 10 CIOs at major commands who report to Gilligan -- sometimes peer pressure can be a valuable tool to not only gain consensus, but also to simply get things done.

In fact, when Gilligan led an effort to consolidate Air Force servers and networks, the cultural resistance was significant, he says. So he developed metrics for measuring progress and held quarterly reviews with the CIOs where their efforts were presented to the group. No CIO whose organization isn't pulling its weight wants to face a room full of CIOs , he notes.

"The peer pressure of the visible metrics served to motivate the commands to accelerate progress," says Gilligan. "I find that if I can challenge my staff with a good description of the end goals or vision, then they can usually provide innovative ideas on how to achieve the goals."

But is real change possible through effective leadership? According to Jordan, people can make a difference if they're given enough time and leverage.

"I used to think it took 10 years to change a culture," says Jordan. "Now I think you can do it in two to three years. That's what one man can do."

Copyright © 2004 IDG Communications, Inc.

Shop Tech Products at Amazon