http://www.nytimes.com/2002/05/27/technology/27SECU.html May 27, 2002 By STEVE LOHR HELP WANTED: Chief Security Officer. Ominously, vaguely, federal officials are again warning Americans to be on alert for some sort of terrorist attack. Will corporate America be ready? In the months since the Sept. 11 attack on New York destroyed the World Trade Center towers, killed thousands of workers and disrupted dozens of companies, businesses have been forced to review their notions of corporate security. And with those assessments has come realization that the job calls for a new kind of corporate security executive - one with breadth of experience, analytic skills, business acumen and leadership qualities. The job, in other words, calls for a chief security officer, or C.S.O., as the emerging term of art would have it. The security field's leading professional organization is drawing up a detailed description of the skills and responsibilities of the job. The elusive ideal is an executive not only familiar with the physical security of people and property, but also fluent in the digital security of computers and information - roughly equal parts top cop, business manager and computer geek. Executive headhunters are recruiting people who fit the description and, with their talents suddenly much in demand, chief security officers can earn more than $400,000 a year. A new magazine, called CSO, is scheduled to begin publication in September. And yet, for all the activity, "the truly broad-based candidates are relatively rare," said Lance Wright, a vice president of Boyden Global Executive Search, a recruiter. Despite the talent scouting by headhunters, companies are apparently taking their time in hiring senior security executives. A survey of 390 large companies last month by Christian & Timbers, a search firm, found that while 95 percent said they needed to hire a chief security officer, only 8 percent said they had begun the recruiting. And a separate study, "The Changing Nature of the Chief Security Officer," from the Giga Information Group, a research firm, found that while large corporations were increasing their security budgets and that some senior security executives' salaries were well into six figures others were making as little as $70,000. With its eye on criminality and terrorism, the security field is "a different world and an unfamiliar world to a lot of mainstream busi- nesspeople," said Timothy Williams, a former Cincinnati policeman with an M.B.A. who directs corporate and systems security for Nortel Networks, the big communications equipment maker. But different though it may be, Mr. Williams said, "security is a business process" — a matter of setting priorities and strategy, establishing processes and measuring their effectiveness. The C.S.O. title is meant to suggest that security matters are becoming a more important and integral part of corporate life. Roughly 15 years ago, another three-letter corporate title started to surface, C.I.O., or chief information officer. It was initially greeted with skepticism, even derision. But C.I.O. was more than a name; it was a recognition that information technology was not just electronic plumbing or a narrow specialty, but something that could affect the mainstream business, strategy and competitiveness. The C.I.O. is now an established and respected executive job at most major corporations. It is too early to tell whether the C.S.O. will eventually reach comparable stature. But even before Sept. 11, the corporate security field had been steadily evolving in response to the major business and technological developments of the last two decades. Globalization, deregulation, outsourcing, just-in-time inventory practices, the embrace of information technology and the rise of the Internet have all brought greater openness and efficiency, along with new vulnerabilities. The people managing security at large corporations have also changed with the times, well beyond the "guns and badges" days of mainly overseeing building security guards and investigations of the "who stole the petty cash" variety. In today's open economy, a point of access in security terms is not just a headquarters office or a factory gate, but also a computer network connection that could be a gateway to a company's customer databases or product designs. The senior security manager has "gone from a corporate cop guy to a real business position," said Grant Crabtree, vice president for corporate security at the Alltel Corporation, a provider of wireless phone service and other telecommunications services, based in Little Rock, Ark. Senior security officers have typically climbed the corporate ranks through one of two distinct paths, as experts in either physical security or data security. The physical security people usually are former police officers, military officers or federal agents, while the data security people tend to be former computer scientists, engineers and programmers. Mr. Williams, 50, of Nortel is no newcomer to the field. He has spent 22 years in corporate security, including stints at Procter & Gamble and Boise Cascade, and he is also a co-author of a well-regarded book on fraud. A few years ago, he set up a 15-person global security council at Nortel, composed of senior managers in departments including real estate, finance, information technology, manufacturing and procurement. Its purpose, Mr. Williams explained, was to be able to take a comprehensive approach to security matters "across all the core businesses and functions." Fifteen minutes after the first hijacked jetliner hit the World Trade Center in September, Mr. Williams, working from his office in Nashville, convened the council by conference call, as colleagues checked employee databases and travel itineraries to see if any Nortel employees were on the plane or in the World Trade Center. None were. For the next several months, in weekly calls, the group monitored a review and tightening of security programs at the company, which has more than 40,000 employees in Canada, the United States and overseas. Like many companies, Nortel re-examined and fine-tuned all kinds of basic security, like reception desk and ID card procedures, as well as safeguards for limiting to authorized employees and suppliers the right to remote access to the company's computer networks. Mr. Williams, like other security officers interviewed for this article, declined to discuss the changes in detail. But one new measure was adding a security section to Nortel's internal Web site, which includes country-risk reports for traveling employees, emergency procedures for building evacuations and recent news articles on physical and data security. For anyone with questions, the site has a link to send e-mail messages to Mr. Williams or other security staff members. At General Motors, James Christiansen, 43, the chief information security officer, came up through the data security ranks. His computing career began at 19, as a programmer writing code to automate the calculation of electrical rates and customer billing for a utility company in Utah. As his programming skills broadened, he became more interested in security technology and in business, earning both undergraduate and M.B.A. degrees. General Motors hired Mr. Christiansen in November from Visa International, where he was a senior vice president. His title is a new one at G.M., but the company had begun recruiting him months before Sept. 11, an indication that information security had already become a priority for senior management. A big part of the comeback story at General Motors in recent years has been its use of information technology to forge closer links with suppliers, shorten product design-and-development cycles and manage its worldwide operations. Yet operating in a global, networked world, where collaboration and information sharing are essential, brings new security risks. The access to computer networks for employees, suppliers or contractors that can make a company more nimble and fleet-footed also makes a company far more vulnerable to theft, sabotage and information-warfare attacks. "It is the digitization of the enterprise that drives the importance of information security to the top," Mr. Christiansen said recently in his Detroit office. "Our car designs are all mathematical models. You don't make a single car, a single truck, without a computer system — actually, several of them." Major manufacturing corporations like General Motors have been adapting their supply pipelines for years. In 1996, G.M. learned a costly lesson in the potential pitfalls of just-in-time inventory practices when an 18-day strike at two factories that supplied brakes shut down 26 assembly plants, reducing quarterly earnings by $900 million. Afterward, the company reorganized its manufacturing and supply channels so that production of critical parts was more diversified and flexible, making it far less susceptible to the loss of a single plant or two. Mr. Christiansen's job is to make similar, risk-reducing steps for the data networks that connect the company's operations and people. "It is the equivalent of G.M.'s nervous system," he said, "and if it were knocked out, it would be as if suddenly your arms and legs don't work anymore." Mr. Christiansen must make sure that, beyond any physical attacks, such cyberweapons as an industrial-strength denial-of-service software attack, a self-replicating worm or a computer virus cannot bring the network down. Clever software tools - so-called intrusion engines, neural-network technology and the like - can help limit the damage from network sabotage like the Nimbda worm, which cost companies around the world an estimated $500 million last fall. Yet the more important safeguard, Mr. Christiansen said, is designing computer systems and putting in place employee procedures to reduce risks before the problems occur. "Security isn't technology," he said. "Security is process, though it is enabled by technology." The American Society for Industrial Security, a professional organization with 32,000 members, wants to hasten the evolution of the field. In the last few months, the organization has been developing a detailed description of the preferred qualifications and responsibilities for "the new position of chief security officer." The work is not finished, but the draft proposal says the chief security officer - who would ideally hold a graduate degree in business or law - should be a senior executive with strong analytic, strategic and communications skills in addition to security expertise. "For corporate North America, 9/11 was a wake-up, bar none," said Mr. Williams of Nortel, who worked on the society's job-description document. "There will be a lasting effect, and many corporations recognize they need security leadership. But there is also a real need within the security field to broaden itself." - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue May 28 2002 - 06:18:23 PDT