Nearly 30 years of experience and four jobs in corporate security, including his current post as executive director of global security at Merck & Co., and not once has Bob Moore been let go, laid off, fired or otherwise left to "pursue other interests," as the transparent euphemism goes. He attributes his perfect record to the kinds of things you'll find in all the management and leadership books--honesty, confidence, good staffing, experience. But then he backs it up. He demonstrates how the dog wags the tail, not vice versa. He hasn't been fired, in part, because of his credibility. Sounds nice. But then Moore explains in large block paragraphs how he gained credibility--by reporting to legal counsel, for one. And by creating global security policies in which the most detailed section is not on what employees can and cannot do, but on the ethical guidelines for his own security team.
"He is what I'd call the example of a CSO who's a leader and who will thrive," says Tracy Lenzner, CEO of the LenznerGroup, an executive recruitment company that places CSOs and CISOs.
Not all of you will be as lucky or as smart as Bob Moore. In fact, the reason we're writing this story now, right after you learned how to get hired, is because there is also an epidemic of firings going on. That's especially true in the information security ranks. Companies such as Merrill Lynch and Fidelity have eschewed their information security officers. And R.A. Vernon, the CISO for Reuters America, was interviewed for this issue because of his wealth of experience and because he directly contributed to his company's revenue stream. Before we finished, he was let go.
The statistics show that most of you are not like Bob Moore. You are young in your job or the first to hold an executive security position at your company, or both (see charts from our exclusive survey results, left). Many of you are fulfilling a vague dictum from the board to get serious about security because of 9/11, or because of the continuing flow of computer attacks, or because of war. There are plenty of reasons to create a security function. Generally, though, it's done without much notion of what the function should be (never mind a practical job description).
All of that combined with a penny-pinching economy, Lenzner says, makes many of you eminently fireable. If other executives perceive little or no value--or even negative value--from what you're doing, you'll be gone in a New York minute.
The good news is that some of the tips that helped you get the job will also help you keep the job. But here's even more advice, from successful CSOs and ISOs in the field, on how to make yourself truly indispensible so that, one day, you too can rightfully brag like Bob Moore can today.
Easy Is Good
Overall, not getting fired is not so easy for security executives. After all, theirs is a job that, when done well, leads to...well, nothing. Sales executives can show higher sales and not get fired. Accounting executives can show lower expenses and not get fired. But security executives need, literally, to demonstrate that their spending led to nothing and that the company should keep spending money for nothing. Now, that's a talent that requires exceptional skill!
Having said that, you can always start by grabbing for the low-hanging fruit--the easy tasks that demonstrate some of your value now. We're not suggesting that such tasks are the most important steps for you to take, just the first ones. And that is an especially good place to start if you happen to be the company's first security executive. You'll need that "now" payoff that the easy win provides, since there's a fairly good chance your executive board created the CSO position with only a vague sense of need--and with absolutely no good sense of the role. So if the board doesn't see payoff soon, it's likely to lose interest and try to kill the position, or, as it thinks of it, reduce the expenditure.
The easy (and relatively low-cost) first steps that follow will quickly give you purchase, and at the same time help your executive peers know, now, that you're valuable.
First, Do Nothing (But Observe)
Pick your metaphor--survey the environment, do reconnaissance, diagnose the patient. The point is this: A good portion of a new CSO's time should be dedicated to figuring out the corporate culture and how to work (in) it. If you don't, you'll probably lose your job.
Lenzner has seen it happen too many times. "When you go into an organization, you are probationary, no matter what level you're at," she says. "We've watched people go in and start firing, changing policy wholesale, messing with staff--and all before they even know where they are. All before they even have a clear understanding of how the company works."
Conversely, she says, some security executives learn to go into a situation without a clear understanding, yet they thrive. "They take the time to learn the nuances," Lenzner says, "and they find the silent players and learn the politics."
The CSO who spends time studying his environment, says Lenzner, will hear what's said but also hear what's implied. "The CEO will say, We want you to do X, and the good CSO will know that means, We want you to do X, but if you alienate those three divisions of the company over there in the process, you'll win a battle and lose the war. And they'll know when to compromise, adapt."
Then, Do an Audit
A corporatewide security assessment sets your bearings. Much of what you do afterward will be a result of this first major initiative. From this audit, you need a baseline of the company's security status. "Baseline, baseline, baseline," Stephen Northcutt says. "After I was hired but before I even walked into the building at BMDO (Ballistic Missile Defense Organization, now the National Missile Defense), I ordered an independent audit. Why? How am I going to say later that I made 2 percent progress without a baseline?"
You might as well know now that, to stay in your job, you'll need to provide your peer executives--and the board--with more metrics than you ever imagined. Probably more than you have.
OK. Those of you with an IT heritage are now free to complain about how difficult it is to create meaningful security metrics. And those of you from a physical security background are allowed to mourn the loss of those days when no one asked you for them. Too bad for both of you.
"For a long time, security wasn't challenged on metrics. We were different from the rest of the workforce, kind of mystical," says Ray Humphrey, former CSO of Digital. "Recently, I see more emphasis than ever on providing the executive team with benchmarks and data. I happen to think that's excellent."
The hard truth, however, is that the degree of success a CSO can have will largely rest on his ability to provide metrics. "They'll need to move security from the boiler room to the boardroom," says Humphrey.
Next, Pluck the Low-Hanging Fruit
Here's an ancillary benefit of that first major security audit: It will, more often than not, expose one or two gaping holes in corporate security architecture and policy. Fix them right away, and make a big deal out of it.
"Financially, the only reason a CEO will call you is if he discovers losses or suffers an event," says T. Sean McCreary, a risk management specialist at The Motorists Insurance Group who has held security and safety management positions at prisons. Patch up a gaping hole at little or no cost, and you're immediately a minor hero, McCreary says. "You've done much better than coming in and asking for a lot of money to implement some overarching new plan."
Soon after arriving at biotech company Genzyme, CSO Dave Kent learned it had 13 discrete building access systems and that dozens of employees were authorized to delegate access privileges. Kent consolidated down to one system and authorized only a handful of employees to give access privileges (a more secure practice, anyway). Thing is, he also had the overarching new plan that would require tons of resources, but he took the easy win first and used it to build his case for the big picture effort.
Eight years later he's still CSO.
Learn How to Use, Uh, Whaddya Call It?
So you've got a few easy wins under your belt. Now start building a foundation for long-term success. These concrete tips focus on further dousing that mystical aura of security that Humphrey talked about and replacing it with, well, a fiscal aura.
Mike Coughlin, CSO of pharmaceutical company Wyeth, came up through the ranks like many CSOs--more from the law enforcement side of things than from the business side. But Coughlin says that today, an aspiring security executive who studies criminal justice is "having his or her education robbed. I want accounting, management, even English and history," he says. "You used to be able to get away with it. We were in the in-house police force. But no one who wants to keep his CSO job ignores business anymore."Coughlin says he needs to improve his own business acumen. You get the sense he's exaggerating some--peers speak highly of him--but then again he also says one business skill CSOs need is "the ability to make attractive, uh--what do you call them?--the, uh, presentations. The medium's the message. The ability to be slick, it gets senior management on your side."
PowerPoint is good. Humphrey says to learn budgeting and strategic planning. Variance analysis. "A good security executive," he says emphatically, "can demonstrate contributions to the bottom line, even though their job means taking money from the company and they'll never have irrefutable proof of their effectiveness."
It seems like pretty obvious advice--get business savvy--but it's worth rehashing. Lenzner says she sees candidates who lose sight of this in uncertain situations (such as the one many of you are in--being a new CSO or your company's first one). Those from the physical security world slip into a dogmatic enforcement mentality. And those from the IT world will likewise slump back into a technical posture.
In either case, peer executives will quickly start to expect nothing more from you, and you'll turn into a perfectly fine middle manager with no executive clout, or you'll be let go.
Says Coughlin, "The guys who are admired in this profession are at ease communicating in a business language and environment."
Oftentimes that means using, uh, you know, presentations and stuff.
Adapt to Your Industry
Even Bob Moore, with two decades of impressive credentials, felt "angst" taking the job at Merck. Why? "I was moving to a new industry where I didn't have knowledge and breadth of experience I needed," he says. "I came from oil and gas, which you can steal, but you can't counterfeit. Which is what product security at Merck is about: protecting against counterfeiting. I needed to get up the learning curve quickly." In other words, security is contextual, and you had better know what context you're operating in before you start applying policy and so forth.
Coughlin had a similar experience at Wyeth. "You might have scientists who cheat on drug orders and people who take bribes from vendors here, and cheating and bribes are no different challenges than you might face in a financial services company," he says. "What is unique is the context; biotech is an environment which is like college. It's an academic, campus atmosphere, so I'm not going to secure it the same way I would a financial services company."
Serve Milk and Cookies in Blue Jeans
This odd directive is a composite of two techniques Northcutt experienced at the Navy. First, he held regular sessions, open to anyone, where he would spend a half hour explaining some technology to whoever wanted to know more about it. (It didn't need to be limited to technology. A CSO with broader responsibility could spend a session talking about, say, a "clean desk policy"--keeping sensitive documents from prying eyes.) Northcutt served milk and cookies at these informal awareness sessions.
"You have to understand it was a hostile environment because the security officer there before me treated everyone like, Show me your plan and I'll tell you what's wrong with it. I mean it was overt hostility. Getting fired would have been easy," Northcutt says. The awareness sessions made him less fireable because "people realized security had a clue and we cared about the same things they did."
Or maybe it was the free milk and cookies.
The blue jeans thing, Northcutt says, comes from another former manager of his who, every Friday at 2:30 p.m., set aside the rest of the day to learn something technical. The manager, a buttoned-down type, called it "blue jeans day" even though he always wore business casual and kept a jacket and tie handy.
"It was great because he knew enough that, when you needed him to make hard decisions or operate in a crisis, he knew the basic concepts," Northcutt says. "He knew what words to use, and people respected him."
Welcome to the Business Table
This is a two-step process. Step one: Bond with the other suits.
Don't try to win influence with other executives by grabbing power or competing for resources. "To the extent you can bond with legal, risk management, audit, IT and all the others, do it," Humphrey says. "Match up the sound bites, merge compliance and policy functions."
Then there's alignment. It has the hollow ring of an executive cliché. But here's the thing: If you don't do it, you won't last long.
With the audit committee, especially, you want to buddy up. "It seems to me the idea of competing for resources with audit is the shortest path to going away," says Allan Paller, research director of The SANS Institute and champion of the CISO function. "If you partner with them and share the load and treat audit with due deference, you have a shot. As long as you compete, it won't work." The key here is not to subjugate yourself to these other executives. You must view yourself as their equal. Just don't fight them.
Step two: Crash the executive party. There's no point in explaining this in any other way than Humphrey does, so, keeping in mind that Humphrey was a CSO and also an extended member of the board of directors at Digital, listen to what he says.
"You will not be invited into the executive circle of the corporation unless you elbow your way to the table. Volunteer for committees and workshops outside of security. I've always pushed my junior security managers to do this, and in a very short period of time, I guarantee, nonsecurity folks will come to you and say, Wow, I didn't know you had so much talent in security.
"I might also tell you that the people who've worked for me have gotten accelerated promotions and, throughout America, they're known as Ray Humphrey Graduates," he says. "They are redefining the CSO role because they push themselves into the executive circle."
Lose the 'Tude
Many executives think you have one. A bad one. And we're not just talking about information security officers, either. Even traditional, physical security executives--younger ones anyway--are saddled with a largely negative perception.
In case you didn't notice, we've come now to the soft and fuzzy part of the program, where to-do lists get tossed aside and psychology gets pushed to the forefront. In other words, the boardroom's out; the couch is in. It's time to learn what it means when a CEO, after eliminating the CSO or CISO, says, "There was just something about him that didn't fit with the organization."
You're not going to like what that "just something" about you is. But you should know. Swallow hard and read on.
The physical security chief, according to stereotype, is a rigid and dogmatic "top cop" who has an "arrest" mentality and is a no-man as opposed to a yes-man.
The information security executive comes across as arrogant, a know-it-all who is whiny, defensive, uncooperative and doesn't try to work with others because how could anyone possibly understand the technical challenges he faces?
Not valid? So what. Unfair? Stop whining. In fact, the security executive who raises a stink because of these preconceptions actually feeds the preconceptions. "We had one CSO candidate for a Fortune 500 not get the job," says Lenzner. "And he--I can hardly explain it, but it was so telling--lashed out about how the company didn't know anything. He was angry. Like a child that didn't get his way."
Northcutt believes the attitude comes from the fact that many CISO candidates are underqualified. "They are stressed out, secretive, edgy and defensive because they don't have the understanding or mastery of tools they need," he says.
At any rate, he explains how the attitude plays out in the business by role-playing as if he were an operations executive being approached by a CSO. "I'm operations. I am the business. My job is to get the trains running on time. My bonus depends on 5 percent better operations. A huge preponderance of my money is based on five nines.
"Then some security guy comes in and says, 'Add this patch,'" Northcutt continues, incredulous and in a mocking tone. "As operations, what do I want to do? Take a bat and smash their heads! Security whines, but above that, they say no. What's up with that? We are the business, Mr. Security Guy. Go figure out how to tell me yes, because that's the only word I want to hear."
In gentler tones, Coughlin says CSOs who come in with a criminal justice background also take the wrong tack. "They'll come around trying to scare the hell out of you. They need to shed that attitude."
Get Downright Humble
It's not just about losing the brash front. You've got to swing to the other extreme. A humble security chief is in the best position to dictate his agenda because he will demonstrate to the other executives that their stereotypes are wrong.
We're defining humble quite specifically here, but we're also leaving very specific traits out of the definition. Humble doesn't mean subservient or compromising. It doesn't mean you downplay your ability or confidence. All of that would just make you inferior to other executives.
Beyond the empirical definition of humble--that is, the opposite of arrogant--there are three facets to how we're defining the term.
First, be affable. That comes from firsthand experience. The sheer niceness of some of the most successful security executives we've encountered during the first year of CSO's life has smashed our preconceptions. Those CSOs who aren't losing their jobs are disarmingly kind and accommodating. This trait extends to crisis situations too, where a calmness and unflappability in the face of a major incident is de rigueur (see "It's a Small World After All"). Lenzner calls it "approachable confident polish," and adds, "These guys hold themselves to a higher level of honesty and loyalty."
Second, cooperate with and rely on other CSOs. This hearkens back to loyalty--security executives honor the profession as much as they do their companies. It is a tight group, almost guildlike. "You pick up the phone and ask, What should I do?" says Wyeth's Coughlin. "Don't pretend you can do it yourself. Real-life experience is so important, and if you don't have it, someone you know will. The security issue transcends competition. We have to cooperate, I think, to a point that CFOs and lawyers would be huffy if they knew how close we were."
Kent of Genzyme talked to his peers around the block about a neighborhood security program as he helps secure a new world headquarters, even though many of those neighbors are direct competitors to Genzyme. Says Humphrey, "Crime itself recognizes no institutional boundaries, and therefore security should not. Good, successful CSOs can recognize the ability to work with colleagues at competitors without sharing proprietary information.
"I know of many situations where--honest--a CSO might end up with competitive intelligence. Say, a notebook. And without exception," Humphrey says, "he will call his colleague at the other company and say, 'This document belongs to you. Here's who's seen it. Nothing more will be done with it.' And they'll give it back. That's the kind of honor we're talking about."
Third, be patient. The problem with having a holistic vision of security, which CSOs by definition ought to have, is it sparks a human impulse to realize that vision now. All at once. That, in turn, will almost definitely alienate you from other executives. "Exercise patience," says Moore. "You can't push everything at once. You have to prioritize."
Moore says his own plan at Merck was a "five-year plan" and that complete buy-in of security as an executive-driven function took three and a half years. It's a virtue for a reason.
Be Tom Cruise
There's an English proverb that says, "Cheat me in the price but not in the goods." It seems security officers--particularly information security officers--have taken this to heart and have learned some "shortcuts" to effectiveness in their jobs. It's probably not a coincidence this somewhat cynical job advice came from ISOs, since IT traditionally treats security as an afterthought, trivial nonsense that threatens deadlines. At any rate, this is how it's done:
In A Few Good Men, Tom Cruise as Lt. Kaffee calls two Navy airmen into the courtroom who provide enough uncertainty to, eventually, unravel the insolent Col. Jessup played by Jack Nicholson. Later, we find out the airmen's presence was a bluff; they were decoys who, if called to testify, had nothing to say.
So be Tom Cruise. Because, at times, you'll be asked to provide more proof than you have for securing a project, even if you know that not securing the project is a great risk.
A CISO at one of the world's largest banks (he requested anonymity, demonstrating that he knows how not to get fired) says he's seen too many recklessly insecure programs get deployed. So he bluffs. The more documentation on hand when you go make the case to operations for securing a project, the better, this ISO says. "It doesn't matter how good the documentation is, really. It just has to weigh a lot. There's a fair bit of marketing involved here. I go in with three good metrics and seven pounds of paper underneath it, and it works. It works every time."
Of course, you'll be building a real portfolio of solid data (see below), but you knew that.
Bill Spernow, the CISO at the Georgia Student Finance Commission, once observed that a security incident has a half-life of about six months. After a major security incident, that's about how long other executives will be looking up to you. Stopping by your office. Taking the time to learn what exactly it is the security team does on a day-to-day basis.
It's also when they'll fund you. "What's amazing about major incidents," Northcutt observes, "is that the status quo ceases. At that moment you can go to the top brass and ask them for anything and they'll do it. Boom.
"And, 100 percent of the time, I'm ready. I've got something on my shopping list. And I'm completely brazen about it. It might have nothing at all to do with the incident at hand, but I'll get it."
In both cases, you're cheating a little bit. But it can be argued that if bluffing and opportunism lower risks to the company, then you cheated on the price but not the goods. You'll have to work out the Machiavellian morals yourself.
Metrics, Metrics, Metrics
Finally, look ahead a little bit. If you've prioritized your to-do list, you've already started looking ahead, in a way, by putting off some projects in favor of others. But there are two other tips you should start thinking about.
We know it's hard. We know it takes time and money, but eventually, security will be completely metrics-driven. So you need to develop, cull and otherwise employ risk analysis metrics and benchmarks. It will satisfy the CEO's and CFO's insatiable appetite for proof of your worth. Paller at SANS believes you should devote considerably more financial resources to developing benchmarks than you do today.
"The ISO is going to the CEO saying there's a chance something bad, and possibly something embarrassing, could happen. But how much of a chance, the ISO doesn't know," Paller says. "And if he spends this kind of money, he can reduce the risk but by how much, he doesn't know. It's simply not enough data. Every other C-level executive does better than that and takes on the responsibility for defining the risk. Here, the CISO is putting the responsibility on the CEO. They don't want it, and eventually they won't take it."
Create the X-Year Plan
Even as you implement all of the above, you should have an overarching vision for security. Genzyme's Kent had a two-year plan for integrating security into his company's culture. Moore had to build security from the ground up at Merck, and his was a five-year plan.
Moore says that, almost five years into his job, the plan is nearly fulfilled. Merck hadn't employed a security executive before Moore arrived. Today, though, his security plan is comprehensive enough that he talks about coping with sudden and serious security issues like SARS (severe acute respiratory syndrome) even as it actively spreads overseas. He explains Merck's process for dealing with SARS with respect to its employees, in a structured way, in great detail, and, as always, calmly and without the slightest hint of panic.
You don't get the sense Merck's going to let him go any time soon. -- CSO (US)
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.