Chief security officers (CSOs) must expand beyond their technical roots and embrace a company’s business processes and thinking since security is a key driver for business success, panellists said at the recent RSA Conference 2005 in San Francisco.
“Many of us were born out of the technical side,” said Lisa (LJ) Johnson, Global Information Security Manager for Nike Inc., during a round table discussion about the role of CSOs. “Getting my MBA and getting business skills was critical because it gave me a whole new lexicon and business language. When I [go to] speak with my business leaders and executives I can speak their language and I can build more trust with them.”
CSOs must have business skills, such as being able to read and understand financial statements and understand business objectives in order to make security a business driver, Johnson added. Success in security translates into more business partners and customers willing to work with a company, especially when it is known to protect the integrity of its information.
“If you are only focusing on your technology — the threats and vulnerabilities — you are missing why you are here,” Johnson said.
This puts pressure on CSOs to keep up with changing business realities and ideas. The problem is that none of this can be taught in a classroom, panellists said. CSOs have to pick it up as they go along.
“You will have to scramble every chance you get,” said Dennis Devlin, corporate security officer with The Thomson Corporation. “Read more publications and study more disciplines than you ever did before.”
Mary Ann Davidson, chief security officer with Oracle Corp. said her interest in military history and strategy is something she draws on for tackling security issues and threats.
Conforming to security policies and processes around new regulatory demands — such as the Sarbanes Oxley Act (SOX), passed in 2002 in the United States and meant to help reduce corporate and financial fraud, and the Personal Information Protection and Electronic Documents Act (PIPEDA) which passed in 2001 in Canada — is likely to preoccupy CSOs more and more in the future.
The panel admitted that these new regulatory requirements have put added pressures on CSOs, who now find their job includes making sure information has not been compromised.
Karen Worstell, today the chief information security officer for Microsoft Corp., was previously the chief information security executive for Cingular Wireless and AT&T Wireless where she worked to align Cingular Wireless and AT&T Wireless’ security policies with SOX. It proved an enlightening process because is showed how much security is tied to business processes, she said.
“My obligation was to support the finance team and come back with a methodology for us to be able to validate that we did not have unauthorized modifications to the financial records,” Worstell said. The company saw improved business as partners and customers increasingly trusted Cingular Wireless and AT&T Wireless, she said.
“We look at three business drivers that are risk related: regulation, revenue and reputation,” said Devlin. “They are complimentary. They are not mutually exclusive and they are also complimentary to other parts of our business. Making ourselves compliant demonstrates security to our customers and that helps on the revenue side and it helps protect the company brand and reputation.”
But making sure a company’s security is compliant with SOX or PIPEDA is proving to be complicated.
“Trying to get these things to match is like herding cats,” said Ron Gula, president and CEO of Tenable Network Security in Columbia, Md. Gula said CSOs are struggling with two things under the new regulations: their ability to audit networks and machines to see how secure the systems are, and getting those systems to conform to today’s new privacy and security regulations.
Quick Link 053681