http://www.networkworld.com/news/2007/021507-csos.html By Ellen Messmer NetworkWorld.com 02/15/07 Becoming the chief information security officer (CISO) of a corporation makes you a strategic IT advisor to business management, the chief information officer, and the rest of the information technology staff. Just as no company is the same as another, the job of CISO -- or alternately, chief security officer, which might include physical security as well -- isnt either. The four security professionals who share their priorities with us make it clear theres nothing cookie-cutter about the top IT security job. Name: Beth Cannon Title: Chief security officer at San Francisco-based merchant bank Thomas Weisel Partners Installed base: 700 employees using servers, desktop and laptop computers, plus 450 handhelds, mainly BlackBerry Broad concerns about regulatory compliance were instrumental in creating the chief security officer job at merchant bank Thomas Weisel Partners back in 2004. Among the drivers for the CSO job were the disaster-recovery rules coming into play from the Securities and Exchange Commission (SEC) after 9/11, says Beth Cannon, the first-ever CSO there. We also needed to look at Sarbanes-Oxley because we were planning to go public. Thomas Weisel Partners decided to carve out the job in order to have a point person acting as central liaison between the legal department, IT and upper management in crafting IT security policy. Cannon, who reports to the CIO, said she has made it a priority to have telecom providers disclose how lines to the banks corporate clients are routed to avoid an over-concentration in one area -- one horrible lesson learned after the Sept. 11 terrorist act on New York -- and is looking at VoIP as an option for some services to users. While its not always easy to build unity internally around security policies, one advantage, she says, is that her eight-year tenure at the firm she was the chief technology officer there before accepting the position as CSO - -meant Ive built a lot of relationships. This helped in the situation when she had to sit down with the legal department and IT to hammer out security policies she was advocating for the hundreds of BlackBerries and laptops that employees take with them for mobile computing. While sometimes employees balk at policies such as password time-outs or encryption that may add complexity, says Cannon, its easier to help change a pattern of computer behavior when the discussion occurs between people who personally know each other. The relationship really becomes the key, said Cannon. Name: Jalal Zamanali Title: Senior vice president of information technology and chief information security officer at Temple-Inland and its subsidiary Guaranty Financial Services Installed base: 16,000 end users, mainly in North America, in a primarily Windows-based computing environment, with 1,200 servers and mainframe One of the first things that Jalal Zamanali did after joining Temple-Inland, a large firm with interests in corrugated packaging, forestry, real estate and financial services, was to do a security assessment to see where we are and where we ought to be, he notes. He also organized the staff of 17 security specialists into three teams one to conduct penetration testing, a second to handle security monitoring and management, and the third dedicated to security governance, which he describes as policy development and standards development. "The standards specify elements in the policy, such as authorization, authentication, and they're requirements," says Zamanali. Now at Temple-Inland for about one-and-a-half years, one of Zamanalis first priorities was deploying a security-information management product to centralize security-event reporting, in this case one from NetIQ. Without tools to identity some events were interested in, it can be like finding a needle in a haystack, said Zamanali, who reports to the chief risk officer, who in turn reports to the CEO. Upper managements concerns generally relate to compliance with regulations that include Sarbanes-Oxley and Gramm-Leach-Bliley, he notes. Zamanali, who came to Temple-Inland after stints in top security jobs at JP Morgan Chase, IBM Global Services, and Dell, says his early work life actually began as an engineer designing nuclear submarines. Like many others living through the age of rapid expansion of information technology and security, he said he simply became fascinated with it and decided to switch careers. Name: Isabelle Theisen Title: Chief security officer at First Advantage mortgage services Installed base: About 6,000 workstations, PCs and servers, plus some BlackBerry and cell phones, for about 4,500 employees When Isabelle Theisen joined St. Petersburg, Fla.-based First Advantage about one and a half years ago as its first-ever chief security officer, she sensed the new job, where she reports directly to the company president, was going to be dynamic. This is intended to be proactive management, and a team of five people, also all new, came in at that time, too, said Theisen, who says she started out in her career as a firewall administrator at Ernst & Young, with her previous job in security at American Express. Her CSO team now works with 17 members of the First Advantage IT department on security tasks that include risk evaluation, logging and monitoring of all security devices. There are plans underway to monitor all the servers. One main security push is to deploy intrusion-prevention systems, in this case TippingPoint, at first just in monitoring mode but eventually to block attacks. Are we getting attacks, perhaps from Russia, China or whatever? Theisen asks. Its about stopping that. As it deploys IPS, First Advantage will probably phase out standalone intrusion-detection systems that only monitor. First Advantage has allowed me to build a three-year strategy and roadmap in order to dovetail security with business plans for a Web portal and other online efforts, Theisen notes. In her own security division which she has organized, compliance reporting and building a security operations center are two main areas of focus, with future efforts to encompass identity management. Name: Martin Carmichael Title: Chief security officer at McAfee Installed base: Windows-based computers to support over 3,600 employees globally, many of whom also have BlackBerries and cell phones, not all provided by McAfee Although McAfee is a veteran in terms of selling security products, it didnt really have a well-defined chief security officer position until Martin Carmichael joined last October. Before me there was a security officer who was a consultant from Deloitte & Touche, says Carmichael. This is the first time the office is broadly defined. Specifically, Carmichael takes on CSO responsibilities that include defining risk management and compliance reporting for McAfee as well as acting as the chief privacy officer on questions of personally identifiable data. I report jointly to the CIO and to the board, says Carmichael. Carmichael, who has 22 security specialists directly assigned to his security group with 160 others at McAfee working collaboratively with his division, has already organized a number of specialized teams that include security operations, compliance and business continuity. Carmichael noted that sometimes highly technical people dont communicate as well with business people as wed hope. By formally building bridges between the technical and business sides, Carmichael hopes to achieve the best results within an allotted budget. Im here to reduce risk. I fight for budget resources, said Carmichael. I cant imagine one CSO in the world who doesnt lobby for more. Carmichael comes to McAfee from the wireless handset insurance provider Asurion Corp. where he was CSO, and has also held senior IT security positions at Wells Fargo, Los Alamos National Laboratory, Oak Ridge National Laboratory, and NATO. Carmichael fondly recalls working on one of the very first commercial firewalls at Digital Equipment Corp. While there are a number of useful security governance models, Carmichael says his own favorite is a security-evaluation metric called the Systems Security Engineering Capability Maturity Mode, which was developed by the Defense Department and some industry partners to evaluate both practices and products. Its a process-based framework metric we could use at McAfee, Carmichael concluded. All contents copyright 1995-2007 Network World, Inc. ______________________________________ Subscribe to the InfoSec News RSS Feed http://www.infosecnews.org/isn.rss
This archive was generated by hypermail 2.1.3 : Thu Feb 15 2007 - 22:42:34 PST