[ISN] What would you do first as chief information security officer?

From: InfoSec News (alerts@private)
Date: Thu Feb 15 2007 - 22:27:30 PST


By Ellen Messmer

Becoming the chief information security officer (CISO) of a corporation 
makes you a strategic IT advisor to business management, the chief 
information officer, and the rest of the information technology staff. 
Just as no company is the same as another, the job of CISO -- or 
alternately, chief security officer, which might include physical 
security as well -- isnt either. The four security professionals who 
share their priorities with us make it clear theres nothing 
cookie-cutter about the top IT security job.

Name: Beth Cannon
Title: Chief security officer at San Francisco-based merchant bank 
Thomas Weisel Partners
Installed base: 700 employees using servers, desktop and laptop 
computers, plus 450 handhelds, mainly BlackBerry

Broad concerns about regulatory compliance were instrumental in creating 
the chief security officer job at merchant bank Thomas Weisel Partners 
back in 2004.

Among the drivers for the CSO job were the disaster-recovery rules 
coming into play from the Securities and Exchange Commission (SEC) after 
9/11, says Beth Cannon, the first-ever CSO there. We also needed to look 
at Sarbanes-Oxley because we were planning to go public.

Thomas Weisel Partners decided to carve out the job in order to have a 
point person acting as central liaison between the legal department, IT 
and upper management in crafting IT security policy.

Cannon, who reports to the CIO, said she has made it a priority to have 
telecom providers disclose how lines to the banks corporate clients are 
routed to avoid an over-concentration in one area -- one horrible lesson 
learned after the Sept. 11 terrorist act on New York -- and is looking 
at VoIP as an option for some services to users.

While its not always easy to build unity internally around security 
policies, one advantage, she says, is that her eight-year tenure at the 
firm  she was the chief technology officer there before accepting the 
position as CSO - -meant Ive built a lot of relationships.

This helped in the situation when she had to sit down with the legal 
department and IT to hammer out security policies she was advocating for 
the hundreds of BlackBerries and laptops that employees take with them 
for mobile computing.

While sometimes employees balk at policies such as password time-outs or 
encryption that may add complexity, says Cannon, its easier to help 
change a pattern of computer behavior when the discussion occurs between 
people who personally know each other. The relationship really becomes 
the key, said Cannon.

Name: Jalal Zamanali
Title: Senior vice president of information technology and chief 
information security officer at Temple-Inland and its subsidiary 
Guaranty Financial Services
Installed base: 16,000 end users, mainly in North America, in a 
primarily Windows-based computing environment, with 1,200 servers and 

One of the first things that Jalal Zamanali did after joining 
Temple-Inland, a large firm with interests in corrugated packaging, 
forestry, real estate and financial services, was to do a security 
assessment to see where we are and where we ought to be, he notes.

He also organized the staff of 17 security specialists into three teams  
one to conduct penetration testing, a second to handle security 
monitoring and management, and the third dedicated to security 
governance, which he describes as policy development and standards 

"The standards specify elements in the policy, such as authorization, 
authentication, and they're requirements," says Zamanali.

Now at Temple-Inland for about one-and-a-half years, one of Zamanalis 
first priorities was deploying a security-information management product 
to centralize security-event reporting, in this case one from NetIQ.

Without tools to identity some events were interested in, it can be like 
finding a needle in a haystack, said Zamanali, who reports to the chief 
risk officer, who in turn reports to the CEO. Upper managements concerns 
generally relate to compliance with regulations that include 
Sarbanes-Oxley and Gramm-Leach-Bliley, he notes.

Zamanali, who came to Temple-Inland after stints in top security jobs at 
JP Morgan Chase, IBM Global Services, and Dell, says his early work life 
actually began as an engineer designing nuclear submarines. Like many 
others living through the age of rapid expansion of information 
technology and security, he said he simply became fascinated with it and 
decided to switch careers.

Name: Isabelle Theisen
Title: Chief security officer at First Advantage mortgage services
Installed base: About 6,000 workstations, PCs and servers, plus some 
BlackBerry and cell phones, for about 4,500 employees

When Isabelle Theisen joined St. Petersburg, Fla.-based First Advantage 
about one and a half years ago as its first-ever chief security officer, 
she sensed the new job, where she reports directly to the company 
president, was going to be dynamic.

This is intended to be proactive management, and a team of five people, 
also all new, came in at that time, too, said Theisen, who says she 
started out in her career as a firewall administrator at Ernst & Young, 
with her previous job in security at American Express.

Her CSO team now works with 17 members of the First Advantage IT 
department on security tasks that include risk evaluation, logging and 
monitoring of all security devices. There are plans underway to monitor 
all the servers.

One main security push is to deploy intrusion-prevention systems, in 
this case TippingPoint, at first just in monitoring mode but eventually 
to block attacks. Are we getting attacks, perhaps from Russia, China or 
whatever? Theisen asks. Its about stopping that. As it deploys IPS, 
First Advantage will probably phase out standalone intrusion-detection 
systems that only monitor.

First Advantage has allowed me to build a three-year strategy and 
roadmap in order to dovetail security with business plans for a Web 
portal and other online efforts, Theisen notes. In her own security 
division which she has organized, compliance reporting and building a 
security operations center are two main areas of focus, with future 
efforts to encompass identity management.

Name: Martin Carmichael
Title: Chief security officer at McAfee
Installed base: Windows-based computers to support over 3,600 employees 
globally, many of whom also have BlackBerries and cell phones, not all 
provided by McAfee

Although McAfee is a veteran in terms of selling security products, it 
didnt really have a well-defined chief security officer position until 
Martin Carmichael joined last October.

Before me there was a security officer who was a consultant from 
Deloitte & Touche, says Carmichael. This is the first time the office is 
broadly defined.

Specifically, Carmichael takes on CSO responsibilities that include 
defining risk management and compliance reporting for McAfee as well as 
acting as the chief privacy officer on questions of personally 
identifiable data. I report jointly to the CIO and to the board, says 

Carmichael, who has 22 security specialists directly assigned to his 
security group with 160 others at McAfee working collaboratively with 
his division, has already organized a number of specialized teams that 
include security operations, compliance and business continuity.

Carmichael noted that sometimes highly technical people dont communicate 
as well with business people as wed hope. By formally building bridges 
between the technical and business sides, Carmichael hopes to achieve 
the best results within an allotted budget. Im here to reduce risk. I 
fight for budget resources, said Carmichael. I cant imagine one CSO in 
the world who doesnt lobby for more.

Carmichael comes to McAfee from the wireless handset insurance provider 
Asurion Corp. where he was CSO, and has also held senior IT security 
positions at Wells Fargo, Los Alamos National Laboratory, Oak Ridge 
National Laboratory, and NATO. Carmichael fondly recalls working on one 
of the very first commercial firewalls at Digital Equipment Corp.

While there are a number of useful security governance models, 
Carmichael says his own favorite is a security-evaluation metric called 
the Systems Security Engineering Capability Maturity Mode, which was 
developed by the Defense Department and some industry partners to 
evaluate both practices and products.

Its a process-based framework metric we could use at McAfee, Carmichael 

All contents copyright 1995-2007 Network World, Inc.

Subscribe to the InfoSec News RSS Feed

This archive was generated by hypermail 2.1.3 : Thu Feb 15 2007 - 22:42:34 PST