Information Security News: In New Era, Corporate Security Looks Beyond Guns and Badges

[InfoSec News <isn () c4i org>]

http://www.nytimes.com/2002/05/27/technology/27SECU.html

May 27, 2002
By STEVE LOHR

HELP WANTED: Chief Security Officer.

Ominously, vaguely, federal officials are again warning Americans to 
be on alert for some sort of terrorist attack. Will corporate America 
be ready?

In the months since the Sept. 11 attack on New York destroyed the 
World Trade Center towers, killed thousands of workers and disrupted 
dozens of companies, businesses have been forced to review their 
notions of corporate security. And with those assessments has come 
realization that the job calls for a new kind of corporate security 
executive - one with breadth of experience, analytic skills, business 
acumen and leadership qualities. The job, in other words, calls for a 
chief security officer, or C.S.O., as the emerging term of art would 
have it. 

The security field's leading professional organization is drawing up a 
detailed description of the skills and responsibilities of the job. 
The elusive ideal is an executive not only familiar with the physical 
security of people and property, but also fluent in the digital 
security of computers and information - roughly equal parts top cop, 
business manager and computer geek.

Executive headhunters are recruiting people who fit the description 
and, with their talents suddenly much in demand, chief security 
officers can earn more than $400,000 a year. A new magazine, called 
CSO, is scheduled to begin publication in September.

And yet, for all the activity, "the truly broad-based candidates are 
relatively rare," said Lance Wright, a vice president of Boyden Global 
Executive Search, a recruiter. Despite the talent scouting by 
headhunters, companies are apparently taking their time in hiring 
senior security executives. A survey of 390 large companies last month 
by Christian & Timbers, a search firm, found that while 95 percent 
said they needed to hire a chief security officer, only 8 percent said 
they had begun the recruiting.

And a separate study, "The Changing Nature of the Chief Security 
Officer," from the Giga Information Group, a research firm, found that 
while large corporations were increasing their security budgets and 
that some senior security executives' salaries were well into six 
figures others were making as little as $70,000. 

With its eye on criminality and terrorism, the security field is "a 
different world and an unfamiliar world to a lot of mainstream busi- 
nesspeople," said Timothy Williams, a former Cincinnati policeman with 
an M.B.A. who directs corporate and systems security for Nortel 
Networks, the big communications equipment maker. But different though 
it may be, Mr. Williams said, "security is a business process" — a 
matter of setting priorities and strategy, establishing processes and 
measuring their effectiveness.

The C.S.O. title is meant to suggest that security matters are 
becoming a more important and integral part of corporate life. Roughly 
15 years ago, another three-letter corporate title started to surface, 
C.I.O., or chief information officer. It was initially greeted with 
skepticism, even derision. 

But C.I.O. was more than a name; it was a recognition that information 
technology was not just electronic plumbing or a narrow specialty, but 
something that could affect the mainstream business, strategy and 
competitiveness. The C.I.O. is now an established and respected 
executive job at most major corporations.

It is too early to tell whether the C.S.O. will eventually reach 
comparable stature. But even before Sept. 11, the corporate security 
field had been steadily evolving in response to the major business and 
technological developments of the last two decades. Globalization, 
deregulation, outsourcing, just-in-time inventory practices, the 
embrace of information technology and the rise of the Internet have 
all brought greater openness and efficiency, along with new 
vulnerabilities.

The people managing security at large corporations have also changed 
with the times, well beyond the "guns and badges" days of mainly 
overseeing building security guards and investigations of the "who 
stole the petty cash" variety. In today's open economy, a point of 
access in security terms is not just a headquarters office or a 
factory gate, but also a computer network connection that could be a 
gateway to a company's customer databases or product designs.

The senior security manager has "gone from a corporate cop guy to a 
real business position," said Grant Crabtree, vice president for 
corporate security at the Alltel Corporation, a provider of wireless 
phone service and other telecommunications services, based in Little 
Rock, Ark.

Senior security officers have typically climbed the corporate ranks 
through one of two distinct paths, as experts in either physical 
security or data security. The physical security people usually are 
former police officers, military officers or federal agents, while the 
data security people tend to be former computer scientists, engineers 
and programmers.

Mr. Williams, 50, of Nortel is no newcomer to the field. He has spent 
22 years in corporate security, including stints at Procter & Gamble 
and Boise Cascade, and he is also a co-author of a well-regarded book 
on fraud. 

A few years ago, he set up a 15-person global security council at 
Nortel, composed of senior managers in departments including real 
estate, finance, information technology, manufacturing and 
procurement. Its purpose, Mr. Williams explained, was to be able to 
take a comprehensive approach to security matters "across all the core 
businesses and functions."

Fifteen minutes after the first hijacked jetliner hit the World Trade 
Center in September, Mr. Williams, working from his office in 
Nashville, convened the council by conference call, as colleagues 
checked employee databases and travel itineraries to see if any Nortel 
employees were on the plane or in the World Trade Center. None were. 

For the next several months, in weekly calls, the group monitored a 
review and tightening of security programs at the company, which has 
more than 40,000 employees in Canada, the United States and overseas. 
Like many companies, Nortel re-examined and fine-tuned all kinds of 
basic security, like reception desk and ID card procedures, as well as 
safeguards for limiting to authorized employees and suppliers the 
right to remote access to the company's computer networks. Mr. 
Williams, like other security officers interviewed for this article, 
declined to discuss the changes in detail. 

But one new measure was adding a security section to Nortel's internal 
Web site, which includes country-risk reports for traveling employees, 
emergency procedures for building evacuations and recent news articles 
on physical and data security. For anyone with questions, the site has 
a link to send e-mail messages to Mr. Williams or other security staff 
members.

At General Motors, James Christiansen, 43, the chief information 
security officer, came up through the data security ranks. His 
computing career began at 19, as a programmer writing code to automate 
the calculation of electrical rates and customer billing for a utility 
company in Utah. As his programming skills broadened, he became more 
interested in security technology and in business, earning both 
undergraduate and M.B.A. degrees.

General Motors hired Mr. Christiansen in November from Visa 
International, where he was a senior vice president. His title is a 
new one at G.M., but the company had begun recruiting him months 
before Sept. 11, an indication that information security had already 
become a priority for senior management. A big part of the comeback 
story at General Motors in recent years has been its use of 
information technology to forge closer links with suppliers, shorten 
product design-and-development cycles and manage its worldwide 
operations.

Yet operating in a global, networked world, where collaboration and 
information sharing are essential, brings new security risks. The 
access to computer networks for employees, suppliers or contractors 
that can make a company more nimble and fleet-footed also makes a 
company far more vulnerable to theft, sabotage and information-warfare 
attacks.

"It is the digitization of the enterprise that drives the importance 
of information security to the top," Mr. Christiansen said recently in 
his Detroit office. "Our car designs are all mathematical models. You 
don't make a single car, a single truck, without a computer system — 
actually, several of them."

Major manufacturing corporations like General Motors have been 
adapting their supply pipelines for years. In 1996, G.M. learned a 
costly lesson in the potential pitfalls of just-in-time inventory 
practices when an 18-day strike at two factories that supplied brakes 
shut down 26 assembly plants, reducing quarterly earnings by $900 
million. Afterward, the company reorganized its manufacturing and 
supply channels so that production of critical parts was more 
diversified and flexible, making it far less susceptible to the loss 
of a single plant or two.

Mr. Christiansen's job is to make similar, risk-reducing steps for the 
data networks that connect the company's operations and people. "It is 
the equivalent of G.M.'s nervous system," he said, "and if it were 
knocked out, it would be as if suddenly your arms and legs don't work 
anymore."

Mr. Christiansen must make sure that, beyond any physical attacks, 
such cyberweapons as an industrial-strength denial-of-service software 
attack, a self-replicating worm or a computer virus cannot bring the 
network down. Clever software tools - so-called intrusion engines, 
neural-network technology and the like - can help limit the damage 
from network sabotage like the Nimbda worm, which cost companies 
around the world an estimated $500 million last fall.

Yet the more important safeguard, Mr. Christiansen said, is designing 
computer systems and putting in place employee procedures to reduce 
risks before the problems occur. "Security isn't technology," he said. 
"Security is process, though it is enabled by technology." 

The American Society for Industrial Security, a professional 
organization with 32,000 members, wants to hasten the evolution of the 
field. In the last few months, the organization has been developing a 
detailed description of the preferred qualifications and 
responsibilities for "the new position of chief security officer." The 
work is not finished, but the draft proposal says the chief security 
officer - who would ideally hold a graduate degree in business or law 
- should be a senior executive with strong analytic, strategic and 
communications skills in addition to security expertise.

"For corporate North America, 9/11 was a wake-up, bar none," said Mr. 
Williams of Nortel, who worked on the society's job-description 
document. "There will be a lasting effect, and many corporations 
recognize they need security leadership. But there is also a real need 
within the security field to broaden itself."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.