What Would You Do As Chief Information Security Officer?

Four CSOs share insights into what's involved in being the security guardians of their enterprises

Becoming the chief information security officer (CISO) of a corporation makes you a strategic IT advisor to business management, the chief information officer, and the rest of the information technology staff. Just as no company is the same as another, the job of CISO — or alternatively, "chief security officer", which might include physical security as well — isn't either. The four security professionals who share their priorities with us make it clear there's nothing cookie-cutter about the top IT security job.

Name: Beth Cannon

Title: Chief security officer at San Francisco-based merchant bank Thomas Weisel Partners

Installed base: 700 employees using servers, desktop and laptop computers, plus 450 handhelds, mainly BlackBerry

Broad concerns about regulatory compliance were instrumental in creating the chief security officer job at US merchant bank Thomas Weisel Partners back in 2004.

"Among the drivers for the CSO job were the disaster-recovery rules coming into play from the Securities and Exchange Commission (SEC) after 9/11," says Beth Cannon, the first-ever CSO there. "We also needed to look at Sarbanes-Oxley because we were planning to go public."

Thomas Weisel Partners decided to carve out the job in order to have a point person acting as central liaison between the legal department, IT and upper management in crafting IT security policy.

Cannon, who reports to the CIO, said she has made it a priority to have telecom providers disclose how lines to the bank's corporate clients are routed to avoid an over-concentration in one area — one horrible lesson learned after the Sept. 11 terrorist act on New York — and is looking at VoIP as an option for some services to users.

While it's not always easy to build unity internally around security policies, one advantage, she says, is that her eight-year tenure at the firm — she was the chief technology officer there before accepting the position as CSO — meant "I've built a lot of relationships."

This helped in the situation when she had to sit down with the legal department and IT to hammer out security policies she was advocating for the hundreds of BlackBerries and laptops that employees take with them for mobile computing.

While sometimes employees baulk at policies such as password time-outs or encryption that may add complexity, says Cannon, it's easier to help change a pattern of computer behaviour when the discussion occurs between people who personally know each other. "The relationship really becomes the key," said Cannon.

Page Break

Name: Jalal Zamanali

Title: Senior vice president of information technology and chief information security officer at US-based Temple-Inland and its subsidiary Guaranty Financial Services.

Installed base: 16,000 end users, mainly in North America, in a primarily Windows-based computing environment, with 1200 servers and mainframe.

One of the first things that Jalal Zamanali did after joining Temple-Inland, a large firm with interests in corrugated packaging, forestry, real estate and financial services, was to do a security assessment "to see where we are and where we ought to be", he notes.

He also organized the staff of 17 security specialists into three teams — one to conduct penetration testing, a second to handle security monitoring and management, and the third dedicated to "security governance", which he describes as "policy development and standards development".

"The standards specify elements in the policy, such as authorization, authentication, and their requirements," says Zamanali.

Now at Temple-Inland for about one-and-a-half years, one of Zamanali's first priorities was deploying a security-information management product to centralize security-event reporting, in this case one from NetIQ.

"Without tools to identity some events we're interested in, it can be like finding a needle in a haystack," said Zamanali, who reports to the chief risk officer, who in turn reports to the CEO. Upper management's concerns generally relate to compliance with regulations that include Sarbanes-Oxley and Gramm-Leach-Bliley, he notes.

Zamanali, who came to Temple-Inland after stints in top security jobs at JP Morgan Chase, IBM Global Services and Dell, says his early work life actually began as an engineer designing nuclear submarines. Like many others living through the age of rapid expansion of information technology and security, he said he simply became fascinated with it and decided to switch careers.

Page Break

Name: Isabelle Theisen

Title: Chief security officer at US-based First Advantage mortgage services

Installed base: About 6000 workstations, PCs and servers, plus some BlackBerry and mobile phones, for about 4500 employees

When Isabelle Theisen joined Florida-based First Advantage about one and a half years ago as its first-ever chief security officer, she sensed the new job, where she reports directly to the company president, was going to be dynamic.

"This is intended to be proactive management, and a team of five people, also all new, came in at that time, too," said Theisen, who says she started out in her career as a firewall administrator at US Ernst & Young, with her previous job in security at American Express.

Her CSO team now works with 17 members of the First Advantage IT department on security tasks that include risk evaluation, logging and monitoring of all security devices. There are plans under way to monitor all the servers.

One main security push is to deploy intrusion-prevention systems, in this case TippingPoint, at first just in monitoring mode but eventually to block attacks. "Are we getting attacks, perhaps from Russia, China or whatever?" Theisen asks. "It's about stopping that." As it deploys IPS, First Advantage will probably phase out stand-alone intrusion-detection systems that only monitor.

First Advantage has "allowed me to build a three-year strategy and road map" in order to dovetail security with business plans for a Web portal and other online efforts, Theisen notes. In her own security division which she has organized, compliance reporting and building a security operations centre are two main areas of focus, with future efforts to encompass identity management.

Page Break

Name: Martin Carmichael

Title: Chief security officer at McAfee

Installed base: Windows-based computers to support over 3600 employees globally, many of whom also have BlackBerries and mobile phones, not all provided by McAfee

Although McAfee is a veteran in terms of selling security products, it didn't really have a well-defined chief security officer position until Martin Carmichael joined last October.

"Before me there was a security officer who was a consultant from Deloitte & Touche," says Carmichael. "This is the first time the office is broadly defined."

Specifically, Carmichael takes on CSO responsibilities that include defining risk management and compliance reporting for McAfee as well as acting as the chief privacy officer on questions of personally identifiable data. "I report jointly to the CIO and to the board," says Carmichael.

Carmichael, who has 22 security specialists directly assigned to his security group with 160 others at McAfee working collaboratively with his division, has already organized a number of specialized teams that include security operations, compliance and business continuity.

Carmichael noted that sometimes highly technical people "don't communicate as well with businesspeople as we'd hope". By formally building bridges between the technical and business sides, Carmichael hopes to achieve the best results within an allotted budget. "I'm here to reduce risk. I fight for budget resources," said Carmichael. "I can't imagine one CSO in the world who doesn't lobby for more."

Carmichael comes to McAfee from the US wireless handset insurance provider Asurion where he was CSO, and has also held senior IT security positions at US organizations such as Wells Fargo, Los Alamos National Laboratory, Oak Ridge National Laboratory, and NATO. Carmichael fondly recalls working on one of the very first commercial firewalls at Digital Equipment.

While there are a number of useful security governance models, Carmichael says his own favourite is a security-evaluation metric called the Systems Security Engineering Capability Maturity Mode, which was developed by the Defence Department and some industry partners to evaluate both practices and products.

"It's a process-based framework metric we could use at McAfee," Carmichael concluded.