NEW CSO BILL HANCOCK found his security team’s reputation summarised, symbolically, in the contents of a locked closet. He had been CSO for less than a week when he discovered the dirty little secret. A routine tour of the security facilities at Exodus (now the US base of Cable & Wireless), turned up the closet. When Hancock opened the door, he saw 45 computers stacked high in a haphazard pile.
“What the hell is all this stuff?” he asked. Quite matter-of-factly, a security staffer informed him they were computers that had been hacked. Struggling to understand how that had led to this leaning tower of machines, Hancock asked: “Well, who do they belong to?” When that question seemed to stump the staffer, the magnitude of the problem began to dawn on Hancock. Not only had the previous CSO impounded computers instead of fixing them, the security team didn’t even know where the computers came from or whether replacements had been issued to their users. The message this sent to the rest of the company was reminiscent of Jerry Seinfeld’s despotic Soup Nazi: Been hacked? No computer for you!
As Hancock discovered at Exodus, the top security role in many companies is in desperate need of a reputation makeover. Nowhere is this more apparent than in the relationships between CSOs and other line-of-business executives. Though they are relative newcomers to the executive line-up (and in many cases are still waiting to get in the game), CSOs will achieve success based on the strength of their peer executive relationships. Why? Because in order to effectively execute security programs, CSOs will depend almost entirely on winning access to and cooperation from their fellow executives.
Naturally, a negative image can get in the way. “Security tyrant” is just one of the unfortunate sobriquets CSOs have earned. Business executives complain that CSOs kill projects with their unreasonable and expensive technology demands. They are “techies” who make no effort to understand or relate to the business. They speak in a foreign-sounding language, peppered with terms like buffer overflow and packet filtering. Their duties seem to consist largely of getting in the way of business rather than solving its problems. When the position devolves into stereotypes, the CSO role risks becoming marginalised. Other key executives will begin to engage in that time-tested business strategy, the end run.
In order to build strong partnerships, says Hancock, you need to deflate criticisms and communicate well with other top executives. “If you can’t explain to people how to solve a problem, they’ll never come back to you again,” he says. “They’ll do everything to work around you rather than work with you.”
We talked to some top CSOs to glean their best practices for making these critical executive partnerships work.
1 Don’t Just Say No
After discovering his predecessor’s punitive approach to corporate security, Hancock realised that he needed to rebuild the image of the Exodus CSO into that of a kinder, gentler team player. His first step was to track down the owners of those 45 confiscated computers. Many of them had in fact been computerless. Hancock gave the computers back, got them cleaned up, loaded them with new security tools, and briefed their owners on how to keep from being hacked again. “Pretty soon people who once had fear and loathing in their hearts for the security guys began to say: ‘These are really nice people. They’re trying to help me be secure and will explain to me what’s going on’,” Hancock says. His rule, which has been effective with employees and executives alike, is: “Never tell people no. Tell them how.” That helps create the perception that security is an ally rather than an enemy.
In fact, changing perceptions requires that CSOs curtail all kinds of negative communication as much as possible. For example, instead of waging an endless battle to stamp out employees’ bad habits, look for technology solutions that will compensate for them. In practice that means — instead of raking employees over the coals for visiting forbidden Web sites or losing their laptops — you would deploy embedded technology controls that prevent access to certain kinds of Web sites or that automatically encrypt laptop data. “The tip is to look for noninvasive ways to implement security,” says James Christiansen, chief information security officer for General Motors. “[Users] don’t even realise it’s there, and if their laptop falls outside corporate hands, we know it’s protected.”
CSOs should also consider exploiting executive partnerships as a way to off-load some of the dirty work of communicating with the company about security. Why not harness HR’s expertise in policy creation and dissemination to push new security policies out to employees? Internal audit groups can likewise be useful partners when departments disregard some company policy and need to be whipped into shape.
Giving your business partners both a voice and a choice in security decisions is another way to foster strong partnerships. If CSOs talk in the lexicon of risk and reward, and provide an analytical basis for decision making, they can actually leave final decisions to the business owners closest to the issues. This creates buy-in within the business groups because they are ultimately making decisions rather than being dictated to by an outsider.
At Merrill Lynch, chief information security and privacy officer David Bauer believes in laying out the options for a business team: the security risks, the possible solutions and the benefits or drawbacks of each choice. “Too often, security groups come back with [only] one answer, and people wonder if you analysed at all,” he says.
That said, there are of course times when an outright “no” must be firmly articulated. Anticipating that necessity, CSOs will find that that word commands much more respect if they use it sparingly rather than reflexively. Otherwise, CSOs who constantly shoot down projects as a menace to corporate security may not be taken seriously when real dangers arise. It’s a balancing act that Hancock describes as a benevolent dictatorship. Things run much more smoothly if other people take an active part in the decision-making process. But when a serious security issue puts the company at risk, the CSO has to step up and make the call.
2 Know Thy Business
When Christiansen came to GM from Visa, where he was also head of security, he found the transition jolting. “Walking into a manufacturing corporation from financial services was like being the 13th warrior,” says Christiansen, referring to the 1999 film in which Antonio Banderas plays a cultured Arab forced to fight alongside barbaric Vikings (while the movie was a flop, it might make appropriate viewing for any CSO who’s ever felt like a fish out of water in the executive pool). “You speak a different language, look different and dress different.” So Christiansen did two things: he signed up for classes on the auto industry, and he made a point of doing a lot more listening than talking.
In learning about GM, Christiansen had to glean the intricacies of four very different business areas: manufacturing, GMAC (GM’s financial services division), OnStar (the onboard satellite communications system) and the defence industry, with which GM works closely. But immersing himself in the business was a necessary step for Christiansen to be able to communicate with the company’s business line executives. “Everything I bring them is cost additive, and that can create a natural conflict,” says Christiansen. “I need to be able to show the bang for the buck, the ROI per dollar and how I’m going to help them solve business problems.” None of that can be achieved without a keen understanding of the business and the recognition that the CSO’s role is to enable business success in an appropriately secure context.
To combat the perception that security is divorced from the business world, Bill Boni, Motorola’s chief information security officer, has even gone so far as to shun the usual moniker “IT security” in favour of the more business-friendly title “information protection”. The goal is to position the department as the protector of information assets in all forms, whether it’s customer data housed in a server or confidential contracts in a sheaf of papers.
Talking in business terms with executives can also be a tremendous asset in advancing the CSO’s agenda, which is often bogged down by the perception that it’s too technical for business executives to understand or to be bothered with. “I’ve seen too many information security practitioners fall short in their role because what they really love is the technology,” says Boni. “They open with the technology dimension, go into technical detail, and by the time they get to the part where the executives’ insight, experience and judgment can be engaged, the executives are already disengaged. They conclude that security is at a level that’s inappropriate for their consideration.”
The better tack, according to Boni, consists of four key elements: understand the business, understand what makes it successful, identify the factors that can put that success at risk, and then find ways of managing that risk through technical, operational or procedural safeguards. Use that knowledge for your conversations with business executives.
Working with business executives is easier when you also arm yourself with knowledge of the initiatives that are under way in their business unit and the challenges each executive faces. It’s helpful to have a network of sources you can draw upon to discuss threats, current projects, and any concerns or feedback that business units may have about security usability. These individuals can also act as the CSO’s evangelists throughout the enterprise, spreading the word about new policies and threats.
3 Practise Your Delivery
As anyone who’s ever been to a security conference knows, speeches about security can be deadly dull. Faced with the challenge of having to communicate about security to large groups both inside and outside his company, Hancock took the unusual step of enrolling himself in a stand-up comedy course to improve his communication skills. The final project for the class was to do an actual stand-up routine at The Improv, New York City’s renowned comedy club, on a Friday night. “It was one of the most horrifying experiences I think I’ve ever been through,” says Hancock. “You get up in front of an audience, half the people there are probably inebriated in some fashion, and you’ve got to communicate what you have to say very quickly, very succinctly and to a whole bunch of people that don’t know you from nobody.” The lesson here is not that CSOs need to be honing their comic routines, but rather that life is full of tough audiences. When dealing with a weighty topic like security, it’s important to focus on how you communicate as well as what you communicate.
When Hancock joined Exodus, the relationship between security and finance was rocky. Finance folks viewed themselves as the guardians of the purse and Hancock’s group as upstarts. Assiduously, Hancock started getting finance involved in security decisions so that they could learn the factors on which decisions were being made and thus understand the reasoning behind them. It was a carefully tailored education process that paid dividends for both sides. Later, when Hancock had to buy 800 firewalls, the finance department negotiated a leasing arrangement that saved his group a lot of money.
CSOs looking for someone with whom to commiserate over the difficulty of getting business executives to pay heed to seemingly arcane policies and procedures could do worse than hoist a few with the corporate counsel. Kingsley Wallman, vice president and associate general counsel with Exodus, notes parallels between the communication challenges faced by the CSO and those facing the legal department. Both groups are perceived as having been built around highly specialised disciplines that seem distant from the realities of business. And both call for the ability to communicate and interpret their fields to sometimes disinterested executives.
Wallman suggests that because CSOs must often communicate about conceptual and highly technical topics, they should make an effort to relate to their fellow executives in person. “A CSO — and I think Bill [Hancock] would agree — is often better served to pick up the telephone instead of sending an e-mail, and would do even better to put down the handset and walk down the corridor,” he says.
And it’s not enough to just go blabbing horror stories. What’s needed is to put things in context. “It’s translating threats into the risk to business and communicating that you’re working with them, not against them, to come up with solutions,” says Rick Lacafta, chief information security officer with Travelers Insurance.
Like an external security vendor, the CSO needs to market his group’s services across the enterprise — a skill few CSOs have mastered — to get the message out about what it can do for business units. Building a security plan is only the beginning. The CSO must then communicate the project deliverables and the game plan to the rest of the organisation, and educate and evangelise about the benefits that each constituency will receive from the plan’s implementation.
When talking to other senior executives about security, focus the message on their particular areas of responsibility and accountability. Show them how security can achieve one of their objectives. A CSO who effectively communicates his role to the enterprise will no longer have to chase down resistant project leaders and executives. Instead, the executives will begin to seek out the security team and value its contributions.
4 Getting to Yes
Frequently, security decisions rest upon the CSO’s ability not only to communicate effectively but to negotiate well. Risk management is an imperfect art, and security vulnerabilities change by the day. Much of the CSO’s time is spent negotiating toward solutions, both temporary and long-term, for unexpected vulnerabilities. Christiansen points out that the key to doing this well is to first reassure internal customers that your goal is to find a “cost-effective solution to the business problem”. Translation: this is about solving a business problem, not breaking your budget with some big-ticket technology toys. “Next, as in any negotiations, understand their point of view, motivations and overall objectives,” says Christiansen. “More often than not, given equal understanding, a way to accomplish both goals can be found.” The sales technique of creating a “win-win” is a good goal to have, but if the security issue at stake is critical enough, CSOs can’t afford to settle for dangerous compromises that will place the company at risk.
The last technique for effective advocacy is to ensure that executives and other employees can easily understand security policies and procedures in written as well as verbal form. At Merrill Lynch, Bauer requires his security staffers not only to think like businesspeople, but also to communicate like businesspeople. He instituted a rule within his group that IT security documents be brief, be free of dense technical jargon, and read like crisp executive summaries.
5 Got Clout?
Few CSOs get their marching orders directly from the chief executive. More often than not, they report to the CIO. But regardless of reporting structure, CSOs must make sure that they can escalate an issue to senior management if the situation warrants. “Make sure you have authority,” says Mary Ann Davidson, CSO for software-maker Oracle. “Responsibility without authority is frustration.” Whether validation comes from the CIO or CEO, the word needs to circulate around the executive suite and throughout the company that the CSO role is important.
There will be times when other executives — whether innocently or not — try an end run around the security group to get a business goal accomplished in the fastest, cheapest way. CSOs can take steps to thwart such attempts: the first is to institutionalise a policy requiring security sign-off in the design phase for all projects that involve a major change to infrastructure or an application. The document should list all the alternative mitigation strategies and the risks to the business of not implementing the stated requirements. The business unit executive can sign off on a decision to ignore the security group’s proposed remedy and accept the risk. That is the approach GM has taken under Christiansen’s direction. The signed documents are provided to the internal audit group, which can step in and flex its regulatory muscle if the agreed-upon policy is in any way violated.
Exodus’s Hancock prefers a less-regimented technique that he calls security guilt. He holds a meeting with the responsible parties during which he appeals to their intellect and ethics and explains the risks of not including security in the initiative. “Usually people do want to do the right thing, securitywise,” he says. It’s just that they “may see security folks and procedures as an impediment to getting something done. I try to work out the issues so that they feel security is backing the project, not trying to kill it.”
Building and maintaining strong relationships with business executives and their groups requires the CSO to assume a number of different guises: educator, strategist, negotiator, interpreter and, sometimes, disciplinarian. Oracle’s Davidson has one last morsel of advice for CSOs interested in smoothing their way with other executives and the company at large. “People ought to be thanked for doing their job more often,” she says, noting that CSOs will find more cooperation if they ask for it politely and show their appreciation instead of barking out orders and throwing their weight around. “Business is personal,” Davidson says. “It’s not being manipulative, it’s just that you catch more flies with honey.”
BOX: Executive Most Valuable Players:
Shmooze ’em or lose ’em
CULTIVATING A CREW of most valuable partners from within the executive ranks can yield important benefits for CSOs: valuable insight into the inner workings of the company, a way to disseminate and validate the security agenda, and the leverage to achieve their goal. While the players may differ slightly depending on the industry, here is the roster of key individuals who should form the core of your MVP team.
Head of Human Resources HR is a critical partner in managing employee network access (new hires and terminations), policy creation and dissemination, and training. HR’s expertise in influencing employee behaviour can also be a valuable resource. As a bonus, human resources could be a useful case study in overcoming a bad rap. Like the security function, HR used to be viewed as a bad business partner, plagued by insularity and detachment from the business.
Head of Finance For all the obvious reasons, it’s wise to build a strong relationship with the people who hold the purse strings. When capital expenditures are required for security, the process will run more smoothly if finance executives solidly understand the needs behind it.
Head of Marketing/PR Marketing and corporate communications are the company’s face to the marketplace. When a security situation arises, marketing and PR are critical to crafting and communicating the company’s message to customers and business partners.
Head of Audit The relationship between security and audit can be tricky. Both groups share the goal of governing standards and policies across the enterprise. The similar agendas could create a competitive climate, with one group constantly trying to trump the other. However, a strong partnership between the groups can be a tremendous asset to the CSO, with audit acting as the enforcement arm of the security group as well as its eyes and ears into the different business units.
General Counsel A number of issues are converging between law and technology that make a good relationship with the general counsel’s office important. This group is a valuable partner in situations involving privacy, technology misuse, copyright and trademark infringement on the Internet, and the growing nuisance of spam. The general counsel can also be an ally in drawing up airtight contracts that security vendors won’t wiggle out of.
Physical Security Manager In some companies both information security and physical security fall under the purview of the CSO. But even where they are separate functions, the relationship between the two is key to establishing an overall level of corporate security. Many of the controls that govern physical security are rooted in information security (access cards, biometrics). Physical security managers also play a central role in creating a secure IT environment since they conduct background checks and secure physical access to those precious data centres.
Chief Information Officer CIOs and CSOs can have conflicting agendas, even when one reports to the other. With the CIO focused on service delivery and the CSO proposing measures that add expense and delay to those services, it can be hard to achieve balance between the two roles. Consequently, the two need to have a close working relationship so that security concerns aren’t swept aside.
MD/CEO Very few chief security officers have the ear of the chief executive, but security enlightenment must somehow be fostered at the top of the company. Whether CSOs deliver the message themselves or enlist another executive as their proxy, they should look for opportunities to get their agenda in front of the CEO. — D Duffy