[ISN] In New Era, Corporate Security Looks Beyond Guns and Badges

From: InfoSec News (isnat_private)
Date: Tue May 28 2002 - 01:27:53 PDT

  • Next message: InfoSec News: "[ISN] Yahoo! Messenger! multiple! vulns!"

    http://www.nytimes.com/2002/05/27/technology/27SECU.html
    
    May 27, 2002
    By STEVE LOHR
    
    HELP WANTED: Chief Security Officer.
    
    Ominously, vaguely, federal officials are again warning Americans to 
    be on alert for some sort of terrorist attack. Will corporate America 
    be ready?
    
    In the months since the Sept. 11 attack on New York destroyed the 
    World Trade Center towers, killed thousands of workers and disrupted 
    dozens of companies, businesses have been forced to review their 
    notions of corporate security. And with those assessments has come 
    realization that the job calls for a new kind of corporate security 
    executive - one with breadth of experience, analytic skills, business 
    acumen and leadership qualities. The job, in other words, calls for a 
    chief security officer, or C.S.O., as the emerging term of art would 
    have it. 
    
    The security field's leading professional organization is drawing up a 
    detailed description of the skills and responsibilities of the job. 
    The elusive ideal is an executive not only familiar with the physical 
    security of people and property, but also fluent in the digital 
    security of computers and information - roughly equal parts top cop, 
    business manager and computer geek.
    
    Executive headhunters are recruiting people who fit the description 
    and, with their talents suddenly much in demand, chief security 
    officers can earn more than $400,000 a year. A new magazine, called 
    CSO, is scheduled to begin publication in September.
    
    And yet, for all the activity, "the truly broad-based candidates are 
    relatively rare," said Lance Wright, a vice president of Boyden Global 
    Executive Search, a recruiter. Despite the talent scouting by 
    headhunters, companies are apparently taking their time in hiring 
    senior security executives. A survey of 390 large companies last month 
    by Christian & Timbers, a search firm, found that while 95 percent 
    said they needed to hire a chief security officer, only 8 percent said 
    they had begun the recruiting.
    
    And a separate study, "The Changing Nature of the Chief Security 
    Officer," from the Giga Information Group, a research firm, found that 
    while large corporations were increasing their security budgets and 
    that some senior security executives' salaries were well into six 
    figures others were making as little as $70,000. 
    
    With its eye on criminality and terrorism, the security field is "a 
    different world and an unfamiliar world to a lot of mainstream busi- 
    nesspeople," said Timothy Williams, a former Cincinnati policeman with 
    an M.B.A. who directs corporate and systems security for Nortel 
    Networks, the big communications equipment maker. But different though 
    it may be, Mr. Williams said, "security is a business process" — a 
    matter of setting priorities and strategy, establishing processes and 
    measuring their effectiveness.
    
    The C.S.O. title is meant to suggest that security matters are 
    becoming a more important and integral part of corporate life. Roughly 
    15 years ago, another three-letter corporate title started to surface, 
    C.I.O., or chief information officer. It was initially greeted with 
    skepticism, even derision. 
    
    But C.I.O. was more than a name; it was a recognition that information 
    technology was not just electronic plumbing or a narrow specialty, but 
    something that could affect the mainstream business, strategy and 
    competitiveness. The C.I.O. is now an established and respected 
    executive job at most major corporations.
    
    It is too early to tell whether the C.S.O. will eventually reach 
    comparable stature. But even before Sept. 11, the corporate security 
    field had been steadily evolving in response to the major business and 
    technological developments of the last two decades. Globalization, 
    deregulation, outsourcing, just-in-time inventory practices, the 
    embrace of information technology and the rise of the Internet have 
    all brought greater openness and efficiency, along with new 
    vulnerabilities.
    
    The people managing security at large corporations have also changed 
    with the times, well beyond the "guns and badges" days of mainly 
    overseeing building security guards and investigations of the "who 
    stole the petty cash" variety. In today's open economy, a point of 
    access in security terms is not just a headquarters office or a 
    factory gate, but also a computer network connection that could be a 
    gateway to a company's customer databases or product designs.
    
    The senior security manager has "gone from a corporate cop guy to a 
    real business position," said Grant Crabtree, vice president for 
    corporate security at the Alltel Corporation, a provider of wireless 
    phone service and other telecommunications services, based in Little 
    Rock, Ark.
    
    Senior security officers have typically climbed the corporate ranks 
    through one of two distinct paths, as experts in either physical 
    security or data security. The physical security people usually are 
    former police officers, military officers or federal agents, while the 
    data security people tend to be former computer scientists, engineers 
    and programmers.
    
    Mr. Williams, 50, of Nortel is no newcomer to the field. He has spent 
    22 years in corporate security, including stints at Procter & Gamble 
    and Boise Cascade, and he is also a co-author of a well-regarded book 
    on fraud. 
    
    A few years ago, he set up a 15-person global security council at 
    Nortel, composed of senior managers in departments including real 
    estate, finance, information technology, manufacturing and 
    procurement. Its purpose, Mr. Williams explained, was to be able to 
    take a comprehensive approach to security matters "across all the core 
    businesses and functions."
    
    Fifteen minutes after the first hijacked jetliner hit the World Trade 
    Center in September, Mr. Williams, working from his office in 
    Nashville, convened the council by conference call, as colleagues 
    checked employee databases and travel itineraries to see if any Nortel 
    employees were on the plane or in the World Trade Center. None were. 
    
    For the next several months, in weekly calls, the group monitored a 
    review and tightening of security programs at the company, which has 
    more than 40,000 employees in Canada, the United States and overseas. 
    Like many companies, Nortel re-examined and fine-tuned all kinds of 
    basic security, like reception desk and ID card procedures, as well as 
    safeguards for limiting to authorized employees and suppliers the 
    right to remote access to the company's computer networks. Mr. 
    Williams, like other security officers interviewed for this article, 
    declined to discuss the changes in detail. 
    
    But one new measure was adding a security section to Nortel's internal 
    Web site, which includes country-risk reports for traveling employees, 
    emergency procedures for building evacuations and recent news articles 
    on physical and data security. For anyone with questions, the site has 
    a link to send e-mail messages to Mr. Williams or other security staff 
    members.
    
    At General Motors, James Christiansen, 43, the chief information 
    security officer, came up through the data security ranks. His 
    computing career began at 19, as a programmer writing code to automate 
    the calculation of electrical rates and customer billing for a utility 
    company in Utah. As his programming skills broadened, he became more 
    interested in security technology and in business, earning both 
    undergraduate and M.B.A. degrees.
    
    General Motors hired Mr. Christiansen in November from Visa 
    International, where he was a senior vice president. His title is a 
    new one at G.M., but the company had begun recruiting him months 
    before Sept. 11, an indication that information security had already 
    become a priority for senior management. A big part of the comeback 
    story at General Motors in recent years has been its use of 
    information technology to forge closer links with suppliers, shorten 
    product design-and-development cycles and manage its worldwide 
    operations.
    
    Yet operating in a global, networked world, where collaboration and 
    information sharing are essential, brings new security risks. The 
    access to computer networks for employees, suppliers or contractors 
    that can make a company more nimble and fleet-footed also makes a 
    company far more vulnerable to theft, sabotage and information-warfare 
    attacks.
    
    "It is the digitization of the enterprise that drives the importance 
    of information security to the top," Mr. Christiansen said recently in 
    his Detroit office. "Our car designs are all mathematical models. You 
    don't make a single car, a single truck, without a computer system — 
    actually, several of them."
    
    Major manufacturing corporations like General Motors have been 
    adapting their supply pipelines for years. In 1996, G.M. learned a 
    costly lesson in the potential pitfalls of just-in-time inventory 
    practices when an 18-day strike at two factories that supplied brakes 
    shut down 26 assembly plants, reducing quarterly earnings by $900 
    million. Afterward, the company reorganized its manufacturing and 
    supply channels so that production of critical parts was more 
    diversified and flexible, making it far less susceptible to the loss 
    of a single plant or two.
    
    Mr. Christiansen's job is to make similar, risk-reducing steps for the 
    data networks that connect the company's operations and people. "It is 
    the equivalent of G.M.'s nervous system," he said, "and if it were 
    knocked out, it would be as if suddenly your arms and legs don't work 
    anymore."
    
    Mr. Christiansen must make sure that, beyond any physical attacks, 
    such cyberweapons as an industrial-strength denial-of-service software 
    attack, a self-replicating worm or a computer virus cannot bring the 
    network down. Clever software tools - so-called intrusion engines, 
    neural-network technology and the like - can help limit the damage 
    from network sabotage like the Nimbda worm, which cost companies 
    around the world an estimated $500 million last fall.
    
    Yet the more important safeguard, Mr. Christiansen said, is designing 
    computer systems and putting in place employee procedures to reduce 
    risks before the problems occur. "Security isn't technology," he said. 
    "Security is process, though it is enabled by technology." 
    
    The American Society for Industrial Security, a professional 
    organization with 32,000 members, wants to hasten the evolution of the 
    field. In the last few months, the organization has been developing a 
    detailed description of the preferred qualifications and 
    responsibilities for "the new position of chief security officer." The 
    work is not finished, but the draft proposal says the chief security 
    officer - who would ideally hold a graduate degree in business or law 
    - should be a senior executive with strong analytic, strategic and 
    communications skills in addition to security expertise.
    
    "For corporate North America, 9/11 was a wake-up, bar none," said Mr. 
    Williams of Nortel, who worked on the society's job-description 
    document. "There will be a lasting effect, and many corporations 
    recognize they need security leadership. But there is also a real need 
    within the security field to broaden itself."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue May 28 2002 - 06:18:23 PDT