'

CSOs become indispensable

John Pontrelli has a job most information security executives can only dream about.By Kimberly Weisul, Inter@ctive WeekPontrelli is the worldwidehead of security at W.

John Pontrelli has a job most information security executives can only dream about.

By Kimberly Weisul, Inter@ctive Week

Pontrelli is the worldwide head of security at W.L. Gore and Associates, a manufacturer of fluoropolymer products, including high-end filters and the eponymous Gore-Tex. While most corporate information security officers spend much of their time trying to convince business managers of the importance of security, secrecy is simply a way of life at W.L. Gore.

$TB_QUESTION="How important are CSOs to your oganization?"; include($DOCUMENT_ROOT."/templates/talkback_box.htm"); ?> "We do tons of patents, but we hate to do patents because then everybody knows exactly what you're doing," Pontrelli says. Instead, he says, "We live on trade secrets."

Pontrelli, in charge of all of W.L. Gore's security, is himself in the dark about many of his company's manufacturing processes. "'Need to know' is a way of life here," he says. And Pontrelli doesn't need to know.

Once a small coterie employed only by large financial institutions, a whole new legion of specialists is cropping up to make sure paranoia is high on the corporate agenda for a broad range of companies inching into e-commerce. Their actual titles vary, but the upper crust are often known as chief security officers (CSOs). These folks are a far cry from the password clerks that spearheaded information security. Instead, the CSO's job is to make sure the information of an entire enterprise is safe from intrusion and attack. The successful CSO is part teacher, part techie and full-time preacher.

"There's virtually no computer that is worry-free, unless, of course, you're not connected to a network," says David Slade, director of corporate computer and network securities at Lucent Technologies. "We couldn't exist that way."

W.L. Gore, on the other hand, has been existing this way for years. "When I came in, I said, 'Show me the firewalls, the proxy servers,' " says Pontrelli, who used to head up the investigations unit at Microsoft. "They said they didn't have all that." The reason is simple: W.L. Gore's computers don't talk to the outside world. The company's Web site is hosted by PSINet, and it isn't connected to W.L. Gore's own computers.

A changing world

But W.L. Gore's world is changing. That's where Pontrelli comes in. The company has plans to move into electronic commerce. Before then, it will be opening up some of its systems to consultants and audits. Part of Pontrelli's job is to make sure the company's trade secrets don't disappear in the process.

Thanks to the Internet, more and more companies are finding themselves in W.L. Gore's position. Not all of them are lucky enough to be building on a culture of information protection. The response for many is "to hire someone that management can point to and say, 'You make that happen, Fred,' " says Frank Prince, a senior analyst at Forrester Research. Expecting one person to be responsible for information security across an entire enterprise is not necessarily realistic, Prince says, even though most of these individuals quickly set about building a security team. "Fred might be a fool for taking the job," Prince says. Worse, he says, "There are very few Freds out there in any of these areas."

While the Internet has elevated the role of security professionals, it's made keeping an enterprise secure much more difficult. Distributed networks mean that there are more access points to be protected - it's not just a matter of protecting a few mainframes. Corporate systems are now vulnerable around the clock, not only during business hours.

The focus of security efforts has changed as well. No longer will one impregnable wall around important corporate information suffice. Instead, different rules of access have to be negotiated for all types of constituencies, such as vendors, suppliers and customers. Keith Rodgers, chief information security officer at Bank One, borrows a manufacturing term and calls this new approach "just-in-time" security. While just-in-time security can be just as strong as the brick-wall-and-moat approach, Rodgers says it can also be more expensive. "You're not in a position to have as much time as you would like to ensure your solutions are as adaptable to different business needs that are going to come up over time," he says.

In high demand

As more brick-and-mortar companies tackle electronic commerce, the demand for CSOs, once relegated mainly to the financial services industry, is booming. "The mental attitude has changed dramatically," says Laurie Sabbett, a partner at search specialists Alta Associates. "If you're going to have e-commerce, you have to have security."

"As we move into a more distributed environment, an e-commerce environment, security is not a necessary evil," says Howard Schmidt, head of information and physical security at Microsoft. "It's part of the business process." Schmidt also serves as president of the Information Systems Security Association, a professional organization for security officers. He says just two years ago, membership in the ISSA stood at roughly 1,200 people; he estimates the group now has about 1,800 members.

Top-flight management, especially in the information technology (IT) area, doesn't come cheap. Hiring a CSO can easily be as expensive, and as difficult, as finding the right chief executive for a start-up. Recruiter Sabbett says she recently worked on a CSO position that paid US$900,000 per year. That's an extreme, Sabbett says, because the hiring company was one of the largest in the world, and the incoming CSO needed to be able to influence a global organization. For mere mortals, base pay starts at US$200,000 to $300,000 per year, plus bonuses of about 30 percent of salary, and options programs that vary wildly. Financial services companies, with their heavy regulatory requirements, are more generous. "I would say US$400,000 to $500,000 [base pay] is about the average," Sabbett says.

Dual personalitles

Successful CSOs have to be as good at sales as they are with technology, since they've got to convince the heads of business lines to integrate security into their strategies. They have to be able to speak in terms of business objectives with the business managers and launch wholeheartedly into tech-speak with the IT department.

Like most CSOs, Bank One's Rodgers spends most of his time meeting with other Bank One senior executives around the country, trying to educate them about security practices and risk. After all, even the most advanced computing systems can still be compromised by sloppy procedures. It's much harder to prevent employees from copying information onto a disk and taking it home than it is to install a firewall.

"The biggest breaches that come about are because someone misconfigured something," says Nancy Wong, who is on a leave of absence from Pacific Gas & Electric (PG&E), where she was in charge of information security. She's now working full time on a special committee overseen by the Department of Commerce called the Critical Infrastructure Assurance Office. The office's mission is to ensure the security of the nation's infrastructure: power grids, communications lines, air traffic control.

Thankfully, security is becoming an easier sell. "A lot of folks have come to the realization that since we are opening up our information, and our clients' information, literally to the world, there has to be protection," says Bob McKee, in charge of worldwide corporate information security at The Hartford Financial Services Group. He says his phone is ringing more frequently with calls from managers asking his advice on projects. "We don't have to push our way into projects and meetings as much as we used to," he says. "We get invited."

The security officers' cause is helped by their position on the corporate totem pole. While there's no standard reporting chain for CSOs, they're hardly buried in the corporate hierarchy. Microsoft's Schmidt reports to the company's chief information officer, while W.L. Gore's Pontrelli reports to his company's chief operating officer. Peter Browne, First Union's head of information security, has the same boss - an executive vice president - as the firm's CIO and chief technology officer. At Lucent, Slade's chain of command runs to an audit group and then to the chief financial officer. While Wong was at PG&E, her group was overseen by the audit committee of the board of directors.

Each approach has its strengths. Some say the CSO should not report to the CTO, since the two may have competing priorities. Others say the only way to keep abreast of the technology is to somehow be part of the IT organization. A third option is to combine physical security with information, or logical, security, and to have the combined group report to the CEO or directly to the board of directors.

Physical and intellectual property security are already tightly coupled at companies such as Microsoft. The Microsoft Information Assurance Program includes everything from disaster recovery to wiring closets to telecom security and the computer investigations team. For many companies, there's no alternative. Who's responsible, for example, for a shared wiring closet to which 50 tenants may have access? When a laptop is stolen, is that the responsibility of the physical security people or is it the information security team? "Investigations nowadays are not trench coats and glasses," Pontrelli says. "It's all forensics. Ones and zeros."

That makes it even more important for both groups to cooperate. In the case of laptop theft, says Eddie Schwartz, CSO at Nationwide Insurance, physical security is familiar with theft and losses and finding patterns in laptop disappearances. Schwartz' group knows countermeasures and encryption. Schwartz says the two groups are converging, largely because they have to. "A physical security person, not knowing enough about computer technology, can break the chain of custody of evidence, and it may not hold up in court," he says.

Spit and polish

To bring the two sides together, corporations are increasingly doing what Nationwide has done - they're hiring government and military alumni. Schwartz worked for diplomatic security at the U.S. State Department before becoming a consultant and eventually moving to Nationwide. Microsoft's Schmidt has been in security for 31 years, beginning his career at a police department in Arizona before moving to the Federal Bureau of Investigation. He served as the director of computer crime and information warfare for the United States Air Force before joining Microsoft. Pontrelli spent four years with the Special Forces unit of the U.S. Army.

Those with military backgrounds say the procedures and the mindset of a security fanatic are harder to inculcate than an understanding of information technology, which they claim can be more easily learned.

Government veterans have plenty of incentive to move to the private sector. "We can almost always double their salary," Alta's Sabbett says. Pontrelli, for his part, can't see himself going back into government work. "If you're making nothing in the military, making double nothing in the government is great," he says. After working in the private sector, "double nothing" is no longer so appealing.

The flip side is that military security experts are not always able to adapt to a corporate environment. "I have a relatively low tolerance for the 'got to do it by the book and not deal with the real issues' mentality," First Union's Browne says. Information security, he says, is about recoverability, availability, business systems and processes. Military security deals with only about 30 percent of that, Browne says. A lot of the information that Nationwide puts on its Web servers would never be there if military-style thinking were to prevail, Browne says, because the information can't be made entirely secure. Browne has successfully hired some government veterans, because they're often well-trained in technology and management. "If they're adaptable, then they're okay," he says. Browne, of course, could be speaking about any business executive trying to tackle e-commerce. Which just shows how far security officers have come.