We put questions to a host of CSOs and a leading recruiter to see how the shape of the security practice is changing
Security You Can Bank On
by Matt Rodgers
I’ve barely had time to take in the lavishly ornate art deco styling of the Commonwealth Bank’s headquarters in Sydney when John Geurts, the bank’s executive general manager of group security, motions to an imposing set of steel doors behind me.
“Last year, some guys walked in through those very same doors that you just did, then jumped over the barrier, threatened the tellers and grabbed as much cash as they could before disappearing back into the crowd on the street. The whole incident took about 90 seconds, and then they were gone.”
For executives like Geurts, security is not an abstract science. Back when many of his colleagues at the Commonwealth Bank were studying for their MBAs or learning how to operate their ERP systems, Geurts, a 19-year veteran of the Australian Federal Police (AFP), was busy investigating organized crime and money laundering. And while other corporate security executives are fretting over cyberattacks and network vulnerabilities, Geurts is also busy making plans to counteract the very real threat of physical violence that many of the bank’s 33,000 employees face every day.
“Technology just mirrors our manual processes and our traditional ways of doing business,” Geurts says. “So many of the crimes we’ve experienced here are just different ways of doing the same crimes. There are new crimes emerging, like denial of service, but I still have to focus on good old traditional crimes like bank robberies and threats to our staff. That’s a big problem now, in terms of my effort, because the level of violence in the community is still unacceptably high.”
Perhaps because he’s responsible for the safety of so many Commonwealth Bank employees, Geurts considers the distinction between CSOs and CISOs to be an important one. “It’s my fundamental belief that the true CSO is the single senior executive responsible for all aspects of security,” he says. “By ‘aspects of security’ I mean all matters relating to investigations, financial crimes, information security, physical security, protective security, executive protection and crisis management. If all you handle is information security, in my view you’re not a CSO — at least not in the banking sector, because financial crimes can be committed physically as well as via the Internet.”
Rising in the RanksGeurts was lured away from the Federal Police three and a-half years ago, after an internal analysis conducted by the Commonwealth Bank concluded that the financial institution needed to enlist an executive with security expertise to manage the new security threats emerging in the wake of e-commerce.
“The criminal adversaries we face do not restrict themselves to product lines or geographic boundaries. If there’s fraud to be committed or money to be taken from the bank, they’ll do it whatever way they can, so you can’t have a fragmented approach to security,” Geurts says.
This desire to avoid a fragmented approach led to the model the Commonwealth Bank currently employs, what Geurts refers to as the bank’s “holistic” approach to security.
“I must say that the model has to relate to the type of business you’re in — the customer base, geographic diversity, and so on. But what was best for the Commonwealth Bank is a completely integrated holistic security model, which has fraud, information security, protective security and crisis management all wrapped up in a single role.”
Geurts began his career with the AFP as a uniformed constable and eventually worked his way up in the ranks to become director of technical operations before accepting the Commonwealth Bank’s invitation to become chief of security. “I’ve been privileged to have a diverse and varied career in law enforcement,” he says. “I worked in major fraud, I worked in the AFP training college for three years teaching people about investigations, and I spent six tremendous years in Sydney working in organized crime – both leading investigations and also delving into the financial aspects.”
In the mid-90s Geurts was the financial investigator on a major operation that involved the seizure of 15 tons of cannabis resin and the forfeiture of several million dollars in assets. Later, as director of technical operations, he was responsible for running the AFP’s computer forensic labs as well as conducting telecommunications interceptions and other forms of electronic surveillance. During these years Geurts also sat on the Australasian Police Commissioner’s task force on electronic crime and a number of other government committees related to the protection of Australia’s national information infrastructure. “It was during this time I became a lot more involved with the business community and the policy aspects of electronic crime,” Geurts says.
Learning the BusinessSoon after accepting the position, Geurts realized that his law enforcement background would only carry him so far at the Commonwealth Bank; to succeed as the bank’s new security chief, he would have to educate himself in the intricacies of the organization’s various business units.
“The biggest issue security professionals have is business acumen,” Geurts says. “I suppose I was lucky having a fraud background because at least you learn how to understand business – even if it is from the wrong end!” Nevertheless, Geurts says it was a difficult transition to go from law enforcement straight into one of the country’s largest and oldest financial institutions. Geurts undertook tertiary studies in business whilst in the AFP, earning a graduate certificate in banking and finance from Monash University, but he still insists that he had to work hard to fully understand the needs of the bank’s different business units. He credits the knowledge and skills he developed to the guidance of the bank’s senior executives, including CEO David Murray, all of whom took the time to make their expectations clear.
“It’s not a given that you automatically have the credibility because you have the role. I think I learnt from some very good people inside the bank and outside the bank who helped me over the years to understand that fraud and security management is about understanding the business, understanding who your customers are and managing the risk.”
But even understanding the business sometimes isn’t enough. Geurts says that gaining credibility with the bank’s business units means being willing to advise them and work with them to solve their security dilemmas. “Where I think many information security people fall down is that they’re technical experts with a limited understanding of the business,” Geurts says. “They spread fear, uncertainty and doubt and eventually with business people you lose credibility if the worst doesn’t happen. Thinking like the business, being prepared to do thorough risk analysis and invest where appropriate – that’s what gets you your credibility. Technical expertise alone won’t get you any credibility — especially in a big organization.”
Another point that Geurts can’t stress enough: security has to be led by someone who can get access to executive management. “Security risk management, like many elements of risk management, is a board-level accountability,” Geurts asserts. “CEO David Murray is a tremendous supporter of everything we have tried to achieve in security, and that’s because he knows it’s part of his accountability. We’re a very big organization, with 10 million customers and 33,000-plus staff, so it’s no simple exercise to manage security without senior executive support.”
In the long term, Geurts is focused on how to best apply the bank’s security resources across the sheer breadth of the organization. “The business units are each responsible for ensuring that they effectively manage their risks, and my job is to ensure that we provide them with the advice and understanding to try and design risk out of a new service or offering right from the beginning. We don’t treat security as a competitive issue per se, but if we can manage risk better than our competitors then we’ve turned it into a competitive advantage.”
Another long-range issue on Geurts’s mind is ensuring the sustainability of the bank’s key infrastructure in the event of a natural disaster or terrorist attack. “Sustainability of our infrastructure is a critical issue and it’s something that we obviously work on not only within the organization, but with government and industry bodies as well,” Geurts says.
Underpinning Geurts’s security goals is a commitment to educating the bank’s customers and staff about what good security means. “We want people to know three key things in relation to security,” Geurts says. “They need to know what a security event or incident is when they see one. They have to know what to do. And they have to know who to tell. In an organization with our diversity, the message we give one of our customer service specialists in a suburban branch is totally different to the message we’d give somebody in head office. So the challenge of communicating effectively what security is and what it means, without creating a culture of fear, is a tremendous challenge.”
In the short term, Geurts claims to be alarmed by the rapid pace at which electronic threats seem to be evolving. “The speed and diversity of the e-crime issues we face is an immediate concern,” he says, “The fraudsters are becoming more organized and sophisticated — and global, which creates its own challenges — and some of them are taking advantage of our customers’ lack of e-security awareness.” Geurts says.
Fortunately for the Commonwealth Bank, Geurts’s years in federal law enforcement, where he worked on several transnational investigations, taught him how to think beyond Australia’s borders. This has proved crucial in today’s post-September 11, post-Enron business landscape, where regulatory changes overseas can have a direct impact on how Australian companies conduct business locally. For instance, to maintain its registration with the Securities and Exchange Commission (SEC) in the United States, the Commonwealth Bank must comply with a range of new US legislation, including changes ushered in by the Sarbanes-Oxley Act.
“In order to effectively operate in global markets, you have to understand the issues of those markets,” Geurts says. “If you look at the Sarbanes-Oxley legislation and the Basel II capital accord, these broader international issues affect how you manage your control environment within your organization. From a security perspective, we do as much as we can to understand what’s happening with issues like terrorist financing and money laundering, but the situation in our Indonesian business is totally different to the situation with our UK business. So we work through our business units to make sure we have the bases covered, and we do as much as we can through these business units because they have the local knowledge.”
This willingness to defer to the experts on specialist areas is one of the things that separates Geurts from the rest of the security executive pack. Despite the fact that he is a rarity among Australian CSOs — namely a security chief who brings to the job almost 20 years worth of law enforcement experience — Geurts claims that some of the most valuable skills he acquired during his tenure with the AFP were not crime fighting techniques, but rather the delicate people-management skills required to manage teams successfully.
“What I did learn from law enforcement came mainly from a handful of people who, over the course of my career, mentored me in relation to the critical aspects of working in teams. When you do a two- or three-year proactive investigation, there are huge teams involved, so no one person can ever claim the credit for themselves,” Geurts says.
“Law enforcement is all about teams, and it’s the same here. I’m not an expert in everything. I’ve got a tremendously skilled team; they are the experts. Managing the people, knowing who your customers are and understanding their expectations — that’s what makes all the difference.”
Security Steeped in CultureFrancis D’Addario, CSO, Starbucks
By Derek Slater and Lew McCreary
People often talk about embedding the practice of security into the business processes of an enterprise. Francis D’Addario, the CSO of Starbucks, has taken that notion one step further. D’Addario’s Partner and Asset Protection group literally steeps in the Starbucks culture and philosophy. In practice, security at Starbucks is entirely aligned with corporate values of trust, dignity and quality assurance, all in the service of creating a customer experience that is both globally consistent and locally relevant. And, of course, profitable for the company.
And profitability depends, to a great extent, on the safety and comfort level of every Starbucks location. Fast-food restaurant chains do a high-volume, mostly cash business. As such, they are well-known robbery targets. If the people inside a Starbucks store are edgy, it should only be because of the caffeine. When you walk in, you’re supposed to find a congenial little oasis where you can chill out, tap into the wireless cloud and disconnect from the worries of the world.
D’Addario sees a direct link between his work and the ability to sustain that kind of environment. “There’s been a school of thought, from time to time in different organisations, that the security mission is something that is competitive with operations,” he says. “In this company, it’s pretty well interwoven in the culture.”
He got his start in law enforcement more than 25 years ago, analysing crime data to discern relevant geographical patterns (“It was pretty interesting putting the human behaviour to what the logical coordinates were”). He remains a believer in data as a driver of security management. “We do an orientation that has been described as ‘protecting the Starbucks experience by the numbers’. And I’d say today that the logical consequence of relevant information [provides] almost a dashboard of key performance metrics. I mean this in terms of the capability to assess risk by analysing, say, robberies per thousand units to determine the financial return on prevention investments,” he says. In such an exercise, D’Addario would look at both “the incident impact risk, which would be commercial armed robbery”, and at the overall effect of acquiring preventive systems on the profitability of stores.
The Starbucks culture is reflected in the habit of referring to the folks who sell you your double low-fat latte as “partners”, not as employees. Among the unofficial partner benefits is the benefit of the doubt. Thus, in the area of loss prevention, the security group behaves less like investigators and inquisitors than like polite observers of a sudden unexpected performance variance in a particular store, at such and such a register, during such and such a shift. “We have an exception-based reporting system that allows us to analyse the activity of all partners from the same [store] and to broadly look at their activity against performance rules,” says D’Addario. Those rules “allow us to see how particular individual performances stack up in a district or a region, [and] to know not only whether the exceptional behaviour is peculiar to the store — our interest gets perked if it is also peculiar to the district and the region”.
When a variance is noted, a letter is sent to the individual partner (with a copy to the store manager) “stipulating what the activity was that we saw and asking for a discreet explanation”. Such a letter, says D’Addario, “is meant to be instructive. It instructs the partner on policy. In context, it becomes a warning mechanism.” Starbucks observes a three-strikes policy that, after repeated unexplained variances, can culminate in a partner’s termination. “Typically, when the activity is truly exceptional, the letters . . . show a significant return on investment over a number of weeks.” In other words, the letters make the problem go away. The fact that a partner may get the benefit of the doubt in such a situation is in keeping with the Starbucks “culture of trust” and contributes more effectively to the goal of maintaining a congenial atmosphere in the stores than more intrusive investigations would.
“It’s not only tangible fiscal objectives being reached; there’s also the fun that happens in the store that you witness as a customer,” says D’Addario. If someone is stealing in a store, he says, “that affects the amount of labour that is scheduled; it affects the speed of service and the cleanliness of that store; it affects the ability of that partner to spend several moments with you to ask how your vacation was or be able to entice you to try a new offering. When organisations don’t have accountability and a commitment to quality throughout, then they begin to miss the opportunities of really having added value in the customer experience.”
Starbucks, he adds, “is, happily, the most unusual environment I’ve had the benefit of working in. I say that because executive management walks the talk here, from a corporate social responsibility point of view. The whole enticement of being a large successful company is really balanced by our ability to connect with each and every customer. I believe when we’re operating in Lebanon or China or Japan, it’s not this big American company that has this global face. There’s all these local people in there listening to the music and enjoying their beverages. And it’s very interesting to visit and see this experience happening, where there’s a celebration and a connection . . . And it works quite well.”
Well CoveredPeter Rowe, Infrastructure and Architecture Services Manager, IT, Allianz Australia
By Matt Rodgers
Allianz Australia’s Peter Rowe is one information security chief who doesn’t have to worry about establishing credibility with management. When you work for an insurance company that provides some form of insurance cover for approximately two-thirds of Australia’s top 50 corporations, your colleagues from the business don’t need much convincing about things like the risk of fraud and the importance of tight IT security.
“It’s not a problem I have here,” Rowe says. “There’s a great deal of awareness about it at the executive level, so getting project funding and support for closing security vulnerabilities is not an issue.”
Allianz has always been a security conscious company, Rowe says — the nature of the insurance business demands it. However, the company’s current emphasis on security is, at least in part, the result of the dramatic shakeout in the Australian insurance industry following the $5.3 billion implosion of HIH. In the wake of HIH’s collapse the federal government radically overhauled Australia’s banking and insurance regulator, the Australian Prudential Regulation Authority, investing the agency with new investigatory and enforcement powers similar to those of the corporate regulator, the Australian Securities and Investments Commission. “We have no issues with meeting these additional regulatory requirements and as a by-product it’s given risk management and security a much higher profile within the organisation,” Rowe says.
Nevertheless Rowe is not overly concerned about Allianz being ripped off, from within or without. After all, a company doesn’t handle workers compensation claims for 90 years without learning a few things about scams and how to spot them. “Fraud is always a possibility in an insurance organisation, but we have good monitoring and reporting to alert us about suspicious account activity,” Rowe says. “Obviously we’ve spent a number of years perfecting that,” he adds. Many years, in fact. Allianz is not only one of the largest general insurance companies in Australia, it’s also one of the oldest. Before the company was purchased by the Munich-based global insurance giant Allianz AG back in 1998, Allianz Australia was formerly MMI, an Australian insurer with a history as a workers compensation underwriter that stretches back to 1914. As infrastructure and architecture services manager of Allianz’s IT division, Rowe is responsible for around 3200 desktops in offices spread throughout Australia and New Zealand. He a lso oversees Allianz’s outsourcing relationships with CSC and Telstra, and manages the company’s inhouse reporting tools and assorted Web-based applications — including the attendant security concerns these systems generate.
When it comes to the security challenges he deals with on a day-to-day basis, Rowe cites the usual list of suspects: worms, viruses, DoS attacks and the challenges of maintaining security controls in an increasingly wireless world.
“On the network side of security we still see worms as a big time consumer,” Rowe says. “We measure our success by the number of worms we stop from coming in, and that amount is quite reasonable across the organisation. But we’re always improving — you constantly have to improve.”
In particular, Rowe worries about the prospect of facing a “zero day” attack — an attack in which there is less than 24 hours between the announcement of a vulnerability and its exploit.
“I think there’s a great possibility that we’ll be subjected to an attack of that nature,” he says. “We’ve been able to keep ahead of the game so far, but I still believe that eventually there’s going to be an attack where there’s no patch available, and that will cause us the biggest amount of grief.”
As with his other IT responsibilities, Rowe views his information security role primarily in business support terms. One of the benefits of working for a security-aware company like Allianz, Rowe says, is that the scope of his responsibilities has been spelled out very clearly. “Sponsorship on the network, access to applications — these kinds of things are the responsibility of the business,” Rowe says. “Our job is to provide the tools and the monitoring reports necessary for them to make judgements on suspicious activities.”
One security challenge currently facing Rowe will no doubt be familiar to many CIOs and CSOs: the perils of migrating the organisation to a new operating system. Allianz is currently nearing the end of an enterprise-wide rollout of Windows 2000, but the company still has 10 percent of the installed-base on NT 4. Currently suspended between the two platforms, Rowe claims to have twice the usual amount of security overheads. “Keeping the new environment and the old environment patched up is our biggest challenge at the moment,” he says. “We don’t want to have one environment degrade the performance of the other, particularly if a vulnerability is exposed.”
Another top priority for Rowe is supervising the company’s many Web-based applications. “The amount of work we do on the Web is relatively new for Allianz Australia,” says Rowe, who also claims that the company’s recently-adopted Web front ends require a high level of identity management.
Rowe insists that such challenges are precisely why he’s the right man for the job. The issue of identity management in particular has provided Rowe with several opportunities to prove his value to the business, mainly by forcing him to draw upon skills and experience gained during his past employment. A corporate troubleshooter prior to joining Allianz in 1999, Rowe used to earn his living by probing enterprise IT environments for security liabilities. Before that, he was a UNIX system administrator, a role that did much to shape his approach to identity management. Mainframes may be obsolete now, but the lessons they taught people like Rowe are not. Mainframes demanded managers take a holistic, security-conscious view of their environments, Rowe says, and such training was ideally suited to the current challenges he faces in managing access to Allianz’s critical applications.
“We’ve got things under control by leveraging what we’ve learned during the mainframe years,” Rowe says. “But you can’t get complacent. You always need to be diligent and vigilant.”
Change Is Your Friend (Sometimes)Linda Stutsman, CISO, Xerox
By Derek Slater and Lew McCreary
If, as the old mantra says, change is good, then Xerox CISO Linda Stutsman is in her happy place indeed. In the past year, Stutsman says, “We have evolved from an information security organisation to an information risk management and compliance office.” More than a name change, the move puts new responsibilities on Stutsman’s plate — privacy and regulatory compliance as it applies to information security. And the company has created an InfoRisk Council comprising senior business managers from every Xerox unit around the world. The group is charged with determining the appropriate risk level for each particular business unit and, from there, providing direction for Stutsman’s group to supply each part of Xerox with appropriate technical, strategic and budgeting levels for information security.
Xerox’s moves illustrate many themes that will play out in the coming year for information security in general and for CSOs in particular: Stay in tune with business priorities, frame security decisions in terms of appropriate risk management, and expect the mixed blessings that come with security regulation in many industries. While these changes are indeed good in the sense that they mark the maturation of information security as a corporate discipline, Stutsman is also frank about the downside. Additional responsibilities take additional time. “You never really leave this job at the end of the day,” she says. And her biggest frustration is a refrain every CISO will recognise. “The continuing exploitation of software vulnerabilities — it takes tremendous effort and stamina to stay ahead of it,” she says.
Constant change and ever-accelerating volumes of threats might tempt security leaders to long for a bit of stability. Stutsman is a realist on this point as well. “Although we have a security strategy and plans that we try to work to, we often need to reprioritise based on the current situation,” she says. “This really is often an interrupt-driven profession.”
And that’s the one thing that will never change.
Compliance Becomes a Core CompetenceSharon O’Bryan, former CISO of ABN Amro
By Derek Slater and Lew McCreary
Sharon O’Bryan can talk a blue streak about regulation, audit procedures and security technology — terrain with which she’s extremely familiar. But if you listen carefully, the undercurrent in O’Bryan’s thoughts seems to persistently redirect her toward undiscovered territory. She has a formidable résumé, but O’Bryan mostly frames her own career as being less about achievement than about personal development.
O’Bryan left banking giant ABN Amro NA in May (she was CISO and senior vice president) in the wake of turmoil at the top. CEO Harry Tempest — whom O’Bryan describes as “very well read on matters of technology risk” — retired, as did the CIO to whom O’Bryan reported. While O’Bryan lined up several interviews in short order, she wasn’t crazy about what she found. After a year of watching her information security function rise in prominence at ABN Amro, her job search uncovered a dispiriting reality: “Many organisations are using the terms CSO or CISO, but the job is really one of an information security manager.”
The difference, as she explains it, is that a true CSO/CISO position calls for “analytic, strategic planning, prioritisation, communication at an executive level”, along with an understanding of “profitability, not just revenue”. During her four years at ABN Amro, those traits helped O’Bryan morph security from a function that “nobody listened to” into a group that was included and heeded in the early planning stages of IT and business projects.
Disenchanted by her observations of the job market — and looking for a position that would ensure her continued professional growth — O’Bryan launched her own consultancy. Combining her IT skills with her background in auditing, she has developed a practice to advise other executives on such complex regulatory issues as the Sarbanes-Oxley Act (of which she can effortlessly rattle off a well-reasoned list of a half-dozen major loopholes and flaws).
O’Bryan stops short of saying regulation will be the most profound shaper of the security landscape next year, but it nevertheless may become the most time-consuming aspect of the CSO position. “I do believe that a CSO’s time spent on regulatory matters will increase [significantly] in 2004 and incrementally in years thereafter,” she notes. The bulk of that time will involve helping the rest of the company sort through the details and determine what’s applicable to each business function.
Many CSOs and CISOs, particularly those with a technical background, may not count compliance efforts among their core skills. But from O’Bryan’s perspective, at least, that only means you get another chance to stretch yourself.
Dave Kent, CSO, Genzyme
How the Practice Grows and MaturesBy Derek Slater and Lew McCreary
Dave Kent can now take his hard hat off. As vice president and CSO of biotech heavyweight Genzyme, he oversaw the integration of security components into the design and construction of the company’s striking new corporate headquarters. In October, the move finally took place, and Kent had a little more time to spend ruminating about his role — and the other hats he wears.
As busy as he has been, Kent fails to meet the definition of the hyperstressed executive, a breed often seen to be victims of “low decision latitude” — meaning too much responsibility accompanied by too little authority. My job satisfaction continues to be high,” he says. “Business is good and interesting. I’m working with a great team and having fun. I have a flexible schedule, generally travel on my own agenda, and the company encourages a good work-life balance.” When asked whether he’d want his kid to grow up to be a CSO, he says: “In this environment, yes.”
While the practice of security at Genzyme hasn’t changed much during the past year, he says, “Organic growth and acquisition have increased the company’s scale and complexity. And there is more emphasis on developing a global perspective.”
Is his job harder or easier today than it was in the past? Kent offers up a mixed bag. “Each successful year builds a positive group reputation and makes influencing decisions easier.” But Genzyme’s growth spurt has brought its share of challenges. “The main difficulty is tied to acquisitions,” he says. “In this industry, [companies] often have no — or unsophisticated — approaches to security. This is because of a lack of experience or an inherent disbelief in the value of what [security has to offer]. As a result, educating and influencing in these environments is hard and time consuming.”
Nonetheless, he says, “a significant majority of the corporation values our involvement, particularly at the planning stage [of business initiatives]. A few locations — primarily those that think security is a low-bid, facility-related issue only — still need to be convinced.”
Kent, who claims never to have seen his own job description (he suggests that it ought to read, “Provide professional security services and other duties as required”), is a pretty good convincer. He approaches the challenges of security governance with a well-honed sense of humour. When asked how his boss evaluates his performance, he says “by the group compliment-to-complaint ratio!” He reports to Genzyme’s executive vice president for human resources, an arrangement that he says “works quite well [because] we are able to operate as an independent entity serving the management team”.
One of security’s main success factors is having “a strong ability to control the agenda, based on a thorough understanding of business goals, time lines and objectives. We have credibility on tactical-level security matters.” Building credibility is a long-term play. Even security incidents present reputational opportunities. Kent’s group has gained “access, acceptance and, ultimately, inclusion by demonstrating quiet competence when bad things happen, [and] then using the moment to build support for future goals, objectives or projects”.
While he concedes that there is sometimes tension over the cost of security investments, “linking everything we do back to the company’s agenda” keeps the business and security objectives aligned.
During the past year, Kent says, he’s been pleased with the extent to which “the importance of a complete integrated approach to security is becoming clearer”. His priorities for the coming year include “continuing this process of integration of physical, information, supply chain and vendor security programs, worldwide, and to extend evaluation and controls to key suppliers and partners”.
The things that keep him awake at night are perhaps the same sorts of worries that keep every CSO from sleeping well: “the personal safety of my fellow employees living and working in difficult areas of the world; security of voice and data systems, particularly those that are accessed by third parties; the screening of employees and non-employees (meaning temps, contractors, consultants) in countries that have poor records or that deny [access to] records”.
Finally, if he needs a second opinion on anything, he draws freely on contacts with other security executives he has met through professional membership associations such as the International Security Management Association. “Only on a few occasions have I not found help from cold-calling a person in a similar position,” he says.
Dismissed on a TechnicalityJoyce Brocaglia, CEO, Alta Associates
By Derek Slater and Lew McCreary
Joyce Brocaglia started out specialising in IT auditors some 20 years ago. “What happened was we started getting more and more requests for information security people. Then, when infosecurity departments started getting formed, a lot of them [were staffed] out of IT audit,” says Brocaglia, president and CEO of recruitment firm Alta Associates. “These people had the necessary technical skills and an understanding of compliance.” Who got to lead those new departments? Typically, she says, whoever was most technically astute. Mainframe guys with a deep understanding of RACF and TopSecret.
But now, says Brocaglia, that convention has been turned upside down: “Today we’re replacing the most technical person with someone who has great communication, leadership and project-management skills.” Brocaglia says for CSO-level positions, her client companies are looking for strong business acumen and — with Sarbanes-Oxley and other legislation breathing down their necks — a solid understanding of regulatory requirements. “In fact, most searches that we conduct for a CSO are for companies that already have one in place, and [the incumbent] does not have a broad enough skill set or executive presence,” she says.
Among her other observations about the state of the profession today, Brocaglia says developing credibility remains a concern even for infosecurity leaders well established in their positions. Keeping the infosecurity team motivated is another challenge, given budget squeezes and the time crunch created by ever-growing numbers of threats and exploits.
Looking for a career hot spot underneath the CSO level? Brocaglia says 2004 is the year of application security, “especially among financial services companies. They’re looking to hire people who can sit down with their developers from the very earliest stages and start building security into the design,” she says. “We’ve got a half-dozen open VP positions in application security, but those people are hard to find. In fact, very few exist, because hardly anybody has [paid attention to] application security before.” ?