When someone says Jack Jones wrote the book on how to think about information risk, they mean it literally. He created the Factor Analysis of Information Risk (FAIR), which gave security professionals a method of defining and analyzing risk in a way that was more consistent and understandable.

With her broader view of risk and deep knowledge of business, Shelley Stewart has made risk and security management a value creator. The executive director of global security for Cummins, an international manufacturer of diesel engines and power generators, didn't come to the position with the usual background in security.

Imagine for a moment you work for one of the best-known companies in the world, one that made computers an essential part of business. Imagine this company, with more than half a million employees, had let each business unit create its own security systems as long as it followed certain guidelines. Now imagine it's time to replace that with an enterprisewide security architecture. Most people would reasonably imagine this to be a scary, overwhelming project.

Over the past 30 years, Novartis's Dick Parry has seen and done almost everything in the security field. He has gone from beat cop all the way up to head of security and information protection for a world-renowned medical research institute. Doing so has meant changing in ways he never anticipated when he started out.

Businesses frequently divide risk and security efforts among several business units or make them specific to a certain place or type of activity: Electronic is separate from physical is separate from financial. However, keeping them all apart makes it impossible to understand how one risk can affect and exacerbate so many others. That's the problem Eric Cowperthwaite, CISO for Providence Health and Services, is most concerned with.

In its more than 200 year-history, Harsco had never had a CSO or even much interest in security. That changed in 2008 when the industrial services company asked Rick Kelly to come in as CSO and create a security and risk function. This was no small task: Harsco has 450 locations in 55 countries and had $3 billion in revenues last year.