What a stark paradox: Just when information security risks are hitting critical levels, some of the profession’s best and brightest leaders are being pushed to the sidelines.
Consider these events reported this past March and April:
— Hackers stole thousands of customer credit card numbers from BJ’s Wholesale Club Inc.
— Online “phishing” scams separately targeted Wells Fargo & Co. and the U.S. Internal Revenue Service.
— GMAC Insurance Holdings Inc. alerted 200,000 customers to credit data stolen in January.
— The University of Kansas, the University of Texas, Georgia Tech and Stanford University suffered major information security breaches.
— Microsoft Corp. published security bulletin MS04-011 (which addressed the vulnerability that the Sasser worm exploited a month later).
Now contrast those news items with what was happening in Atlanta, for example, during that same time period:
— Bob Wynn, former CISO for the state of Georgia, was searching for an executive-level security position.
— Bill Spernow and John Hurd, two other former state agency CISOs, were also out of work; Spernow was losing his patience with “CISO” openings that amounted to firewall maintenance.
— Former state CSO Steve Akridge was doing independent consulting work; he expresses a high level of frustration with some clients’ lax attitudes toward information security.
— And Gail Griffith, a former private-sector deputy CISO who says information security “is in my blood,” was selling real estate full-time.
It isn’t just Georgia. Next door in Florida, former information security manager Terry Williams echoes Spernow’s observation about positions that amount to “firewall jockeys.” In Chicago, Sharon O’Bryan, former CISO of Dutch bank ABN AMRO Holding NV’s North American operations, reports the same. Ditto from a former executive on the West Coast, who gave up and took one of those firewall jockey jobs. In Cleveland, CISO James Wade exited Key Bank. In New York and Boston, over the past few years, Reuters America Holdings Inc., State Street Corp. and Fidelity all fired CISOs or dissolved the positions entirely. In the University of Texas system, within a recent span of six months, three infosecurity leaders resigned in frustration.
That’s simply too many talented executives, telling too consistent a story, to call the situation a fluke. The struggle of the C-level information security role is what the disaffected would call a systemic failure — a woeful negligence on the part of corporate America, boards of directors and CEOs. Right when the information security problem has reached a critical stage — and it’s getting still worse, fast — many companies have de-emphasized and marginalized the CISO role. Instead of elevating the function, they’re burying it.
Even if they pretend that they’re not burying it. Many companies nominally hiring CISOs seem to neither understand nor embrace the role and give it zero BSA (budget, staff and authority). Or they use the CISO in some purely technical capacity. Still others are hiring a CISO to check off compliance with some recently cemented regulation. Such a position amounts to someone hired to “sit on the bomb” so that when security inevitably blows up, there’s a fall guy. Job candidates are left twisting in the wind, overqualified for the positions that are available, and unable to find leadership positions where they can effect the real changes necessary to protect stakeholders’ interests.
Bill Spernow, former CISO of the Georgia Student Finance Commission, calls all of this the “paper tiger” syndrome. But that’s not quite it. Paper tigers are fierce-looking creatures that turn out to be timid and weak. This is more like a caged-tiger syndrome. Many of the security executives in this situation offer high levels of talent, knowledge and experience — yet they remain penned in or shut out.
“It’s such a prevalent situation,” says Spernow. “People who are good at this job are leaving in frustration. Information security is suffering,” because of many corporations’ unwillingness to take this discipline seriously.
There are those who will argue that what’s taking place is a perfectly ordinary progression of the CISO role. That — like CIOs and human resources executives before them — CISOs are simply fighting a protracted, predictable battle for entry into the executive ranks.
Perhaps that’s the case. Unfortunately, one wonders if infosecurity can afford to follow that maturation, which can take years. After all, the CISO’s adversary in the information security wars has elevated his tactics to a startling level of sophistication. Spam, malware and confidence tricks are being combined in increasingly clever ways to generate ever more targeted and explicit payoffs. What was once principally a downtime problem has morphed to include extortion and identity theft.
Onward and downward
Meanwhile, some of the very employees most capable of combating those threats are out of the game and not being given a genuine opportunity to get back into it. These are people who are passionate about their chosen profession, but are contemplating leaving it. Their experiences describe a deterioration of information security that takes place in three stages:
1. The once and future cost centre.
Despite the fact that his official title was information security manager, Terry Williams’ bosses kept calling him the CSO. Indeed, there was no higher-level information security person at his small, 400-person cellular service company. And he did manage to implement some solid practices and programs that he had learned in a previous job as a security manager at a large utility company. He was proud and eager to apply high-level practices to even a small company. Then one day last year, the company dissolved his position.
“In 15 months, they dismantled everything I had done,” says Williams. “They don’t want to hear about what they need to do. What they want is, ‘Stop the bad stuff from happening, but don’t slow down the process, and don’t affect the bottom line.'”
This is the classic Law of the Security Cost Centre at work. Williams was put under the vice-president of IT. He was the de facto CISO, getting paid like an administrator. And when he wanted to hire a security staffer, the human resources team hired an outside service to determine appropriate pay, and told Williams that he could have US$25,000 to fill the position.
Nothing Williams has seen in the eight months he’s been seeking another CISO position encourages him. “I’ve had several interviews for so-called CISO and infosecurity manager positions. Mostly, they’re looking for router and firewall jockeys.” Williams says his next step might be to reinvent himself, as a compliance officer. Even then, based on his interviews, he sees companies waiting out the regulations to see what they really will have to do. He also has thought about getting some accounting experience to pursue security jobs through the IT audit function.
And he’s considered security consulting. “I’ve thought of pursuing teaching too,” he says. “I think that this is a lull that will last at least two to five years. I’ve been trying to explain this to my wife. You’ve touched a nerve with this topic and it smarts.
“I haven’t given up. It’s tempting, though.”
2. The fading priority.
Bob Wynn had an ambitious plan. “I called it Secure Georgia, and the idea was that we could build this unit between the state and everybody else and share IT security information. Basically, create the state ISAC.” Wynn, who served both as CISO and CSO of Georgia — and who has worked in security for two decades — got his program well under way. He built good relationships with some rather important national players based in Atlanta — Delta Air Lines Inc., The Coca-Cola Co., The Home Depot Inc. He decompartmentalized security across state government. He linked up with the U.S. Federal Bureau of Investigation, Secret Service and the Department of Homeland Security. One peer called Wynn the “quintessential security executive” precisely because instead of focusing on technical challenges, he thought about the bigger picture and could communicate it to others (Wynn started his career in sales).
“I thought, if someone had vision, we could be a regional leader,” says Wynn. “Other states could come to Georgia as a security leader and see how we do it. So there I am, thinking like a C-level executive. And (the state’s leaders) don’t want any of it. They tell me to focus internally. I understand that; I’m not saying ignore that. But the bigger picture….”
Wynn was let go this past August — three months after Bill Spernow was let go by the state and about two months before John Hurd, another executive-level security chief working for the state, was ousted. Wynn won’t comment directly on his termination, but it seems that the very qualities that made him the quintessential security executive to his peers were the reason why his bosses eliminated his position. One former CISO says the role should be “nine percent technical and 91 percent political.” Georgia seemed to want Wynn’s role the other way around. (Representatives of the Georgia Technology Office did not return calls soliciting comment on this issue.)
“They’ve made security a much lower-level thing,” Wynn says. “I don’t think it can work without an executive-level presence. You’re putting security into other groups, underneath functions it’s supposed to watch over.”
Wynn acknowledges that politics and money do indeed play a role in state government. Still, Wynn believes that what he’d call Georgia’s regressive attitude toward information security is not a peculiarity of public-sector life. He sees Georgia’s attitude as a predictable phenomenon, a corollary to the Law of the Security Cost Centre: Call it The Law of Security’s Half-Life. The longer nothing bad happens in a cost centre, the less value you place on it and thus the less you’ll spend on it. In Wynn’s case, nothing had happened to Georgia’s technology infrastructure for some time. Wynn himself says, “When Slammer hit we were hardly touched.” Sept. 11th has receded enough to allow some separation from the anxiety (and awareness) it created. The highest levels of Wynn’s “company” couldn’t embrace his vision for Secure Georgia because they didn’t feel that they had to.
Now, as Wynn interviews for both public- and private-sector positions, he says he repeatedly witnesses this disconnect between executives’ view of security and his view. “It’s frustrating. You read the description of the position and you think you’ll be the man. You’ll be able to make positive change in the organization. But then you get in there, and they won’t talk about a budget. And they don’t say anything about staff. You start to get the sense they want a manager for the firewall group, not a comprehensive security program.
“Even as I’m sitting here talking about it, it’s started to crystallize things for me,” Wynn says. “I need to morph myself into something other than a CSO. Leave the field. Or at least get out of the operational end of it. I think the problem is even worse than it appears. The role has been marginalized.
“Well, at least until the next crisis, then they’ll all say, ‘Oh my God!’ and, you know, here we go again.”
3. The visibility-starved corporate function.
John Smith (not his real name) thinks he has noticed a recent, significant change up at the C-level suite of his large energy company. “The top levels are saying, ‘Whoa, we have some (risk) exposure here. What are we going to do about it?’ All of a sudden, there’s this intellectual interest. Will it be followed by dollars? We’ll see.”
Forgive Smith for being skeptical. He’s only reacting to his experience so far in his job as a senior information security technologist. “I work for a major utility that doesn’t really care about security,” he says. He was hired to manage business continuity, disaster preparedness and risk management programs. But none of the three programs “have gotten out of the gate for lack of funds and lack of senior management concern,” he says.
Smith spent the four previous years as a full-fledged CSO at a large software company. He talks about that job with a kind of sparkle in his voice. “They were four fantastic years,” says Smith. “I was lucky there. I had a great boss. Great toys. Within days of joining the organization, the chief counsel had seen a risk and called me in to berate me. I told him, ‘I’m not in the security business, I’m in the risk mitigation business.’ We talked risk for an hour. I got dotted line reporting to him. He said if I needed help, just call him.” Unfortunately, that company went under.
And his current job? “The information protection department is buried down at the lowest possible layer. There’s absolutely no C-level visibility. We have less than 20 people, and the pervading feeling is we are ignored.”
Smith says he’s prepared to offer a C-level security program, business cases, ROI and other metrics, to show executives the business risks they face, but they can’t get those messages because they can’t see Smith. Even though the company has started to address exposures, Smith says he believes their focus is still rather narrow. But to communicate that upstream is difficult. Any message he sends up gets filtered too much to have any impact.
All of that piques Smith to no end. While his current job isn’t close to the executive level (like others in this article, he couldn’t find any of those, even among positions advertised as C-level security jobs), Smith had hoped to effect change at that level eventually — essentially, create that top-level presence from within. “I want to stay,” says Smith. “But I’m going for my real estate broker’s license next week, in preparation, in case bad stuff happens.”
Flight or fight
Combine the experiences of Terry Williams, Bob Wynn and John Smith and you can follow the vicious cycle (some call it a downward spiral) that information security faces. Follow the plot: Information security is a cost centre. To minimize costs, security is pushed down, well below the executive level. As security is pushed down, its visibility to top management diminishes. If top management doesn’t see security (or the business case for it) support erodes further. And eventually, the information security program stops getting the resources it needs to keep apace with the problems it’s meant to mitigate.
For the guild of security professionals, watching the profession get squeezed in this manner is gut-wrenching, which leads to an even worse consequence: Talented professionals give up. They leave security operations for consulting or vendor jobs, or leave the field entirely. “We can’t lose them,” says Gary McGraw, CTO of security vendor Cigital Inc., and coauthor of Exploiting Software: How to Break Code. “If anything, we need more. We need more Phil Venables (of Goldman Sachs & Co.).”
Bill Spernow adds, “We need more Bill Bonis (of Motorola Inc.).”
More Rich Baiches. Rich Baich is not marginalized. He’s currently thriving as CISO for ChoicePoint Inc., in the very Atlanta where Wynn and company have been stymied in their efforts to Secure Georgia. Baich recently won an award as Georgia’s Information Security Executive of the Year. He’s got a budget and visibility. Baich thinks he knows why. While he acknowledges the trends talked about here, he also believes CISOs should do a little more self-reflection.
“I’ve seen some companies hiring CSOs and CISOs for the wrong reason,” says Baich. “But the biggest thing is, we hurt ourselves too. We need to augment our skill sets.”
Yes, yes, get your MBA. But not just that, Baich says. “I’m using sales skills, and it’s paying off huge. I’m figuring out how to position security as if I’m selling a product or service. It’s a skill set that’s not really in security today.” Because sales, he says, is something that some security executives think is below them.
Samantha Thomas, CISO of the California State Teachers’ Retirement System, puts it more bluntly. “If you feel like you can’t go into a mediocre situation and bootstrap it, use sales skills, metrics, sell security, then you’re whining and you’re not being opportunistic,” she says. “You actually have an audience that isn’t sure what it needs for a good high-level security program? My God. Get in there and tell them what they need. Change that world.”
For his part, Wynn couldn’t agree more. “That guy in CSO with the bullhorn had it exactly right. It’s not just the fault of the other C-levels. CISOs have skin in the game too.” Security executives have been poor on branding and marketing, he says.
“Then again,” says Wynn, “I was sales trained. I understood the marketing aspect; I never thought sales was below me, so to speak. I liked to jump in and try to be persuasive. I did all that.
“And it didn’t work.”
Does it matter?
Perhaps no one embodies the disconnect between corporate America and CISOs better than Gail Griffith. Two years ago, Griffith took a buyout from Delta, where she had been deputy CISO. She expected to land another C-level job soon. She still hasn’t found one and is selling real estate in Atlanta.
Griffith has run up against the same dismissive biases against information security. Often, she asks friends, church members, anyone she might be chatting up, ‘Who does security at your company?’
“The most common response that I get,” she says, “is that the vice-president of IT, or HR, or an IT manager is doing it. It’s not even their primary job and they don’t have training or expertise in information security. And here I am looking for a job. I’m scanning, scanning, looking for jobs that say ‘officer’ or ‘director’ or even ‘manager.’ Instead, I’m getting asked, ‘How many (programming) languages do you know?'”
Griffith feels the disconnect viscerally. Here is a woman who has tried to embrace her job as a real estate broker, but cannot. More than once, she has called off her search for a C-level security position, only to come back and try again. She talks about how security is in her blood. She talks slowly and thoughtfully, her voice laced with disillusion.
“I know, why even try anymore, right? Most people are too smart to stay with it,” says Griffith. “I tried, but I can’t seem to get away from it.”
Griffith says the reason she keeps coming back is this: “I remember, in 1999, that a pilot had tipped us off that there was some questionable material on some (online) bulletin board for pilots. I had to check it out. And there was this guy talking about jihad and fire raining from the sky and all this crazy stuff.”
Following standard procedure, Griffith sent the information to the FBI and Secret Service, who took over the case.
“At the time, you thought, you know, it was crazy,” she says. “Now you look at that, and you make the connection between my profession and the greater good. You think, information security has a chance to do something important.
“Information security can be critical,” says Griffith.
Then she has to end the conversation; she has to go out and show a house.