The Guardian

Protecting the integrity of data is only half the job of the corporate security manager. The other half is persuading employees to protect their data wherever it is.

Most companies wouldn't think of putting information security, physical security and facilities into one unit. Yet 12 years ago, Eduard Telders made combining the management of these units a condition of his employment at Pemco Financial Services in Seattle.

Now, Telders says he knows of a dozen or so Fortune 500 companies, including Microsoft Corp., that have put physical and technical security management together as a single function. And at both Microsoft and Pemco, the position was handed to a technical security manager, not the physical security manager.

It takes a unique technologist to make this leap. Managing these once-disparate groups calls for thinking far beyond "making the wires hum," Telders explains. This renaissance position calls for a manager who can think about how those wires open the company to the risk of internal embezzlement and fraud, data theft and customer privacy violations.

That means the corporate security manager must also stay up to speed on the physical risks to corporate data, such as building-access violations like "shoulder surfing" (following a badged employee through an open door). Telders stays up-to-date through his memberships in organizations such as the American Society of Industrial Security and by maintaining his standing as a certified protection professional, which he received in 1999.

Today, most investigations into security threats or violations require both physical and technical investigative techniques. For example, when Pemco had problems with employees sending hate mail and surfing the Web for pornography late at night a year ago, Telders' team first tracked physical access to areas of the building through its key-entry system. Then they checked to see who was logged on in those areas at night. Finally, they examined the log files on those systems to see what was being accessed.

"All companies have . . . abuses of systems and other [human resources] problems," Telders notes. "Computers have just become one of the tools to commit [electronic] indiscretions."

Along with knowledge of the IT and physical aspects of data protection, Telders must rally every employee around protecting the company's data in all forms. For example, when users said no one would mess with their computers left on at night, Telders suggested that they cash their paychecks and leave the money on the keyboard over the weekend to see if it would still be there Monday. That clicked with them.

"The first thing I learned about managing the physical was that communication is extremely important with users whom you are trying to put tight controls around," Telders says. "They need to understand in their own terms the whys and wherefores of how the entire security system works. And you must be very responsive to their problems."

Ironically, it's the workers on his old stomping grounds, the IT group, who he has to keep the closest eye on, he says. They're the ones trying to punch holes in the firewall to drop in Digital Subscriber Lines and download the latest cool stuff. And they're the ones who see his security policies as an opposition to them accomplishing their mission of making the wires hum. In fact, Telders has to occasionally quash rebellions among IT group employees when they try to wrestle information security management away from Telders' unit.

Although Telders can empathize, he says his real responsibility is to the owners of the data - the shareholders and the board.

"We represent the owners of the data. And based on the rules of the data owners, we make determinations of what is and is not appropriate," he says.

Profile:

28BFD.gaurdian_teldus.jpg
NAME: Eduard Telders

TITLE: Corporate security manager

REPORTS TO: Chief technology officer

DIRECT REPORTS:

red_bullet.gif
Security compliance officer (physical security management)

red_bullet.gif
Safety and security coordinator (safety and physical security administration)

red_bullet.gif
Senior information security analyst (engineering and design, penetration and intrusion detection, forensics)

red_bullet.gif
Two information security analysts(daily administration/project work)

REQUIREMENTS:

red_bullet.gif
Basic understanding of operating systems, networking and IT security

red_bullet.gif
Risk-management background

red_bullet.gif
Physical security certifications and training

red_bullet.gif
Master's degree (Telders' is in biology)

red_bullet.gif
Be adaptable, ethical and a strong business communicator

Special Report

Security Risk and Reward

Stories in this report:

Related:

Copyright © 2001 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon