Are security pros worrying about the right stuff?

Worms are scary, but experts say personnel issues should get more attention

This is the first in a series of stories that will be addressed at the Security Standard event scheduled for Sept. 10-11 in Chicago.

“As a rule, men worry more about what they can’t see than what they can."

Julius Caesar

“Security decisions are almost never made for security reasons"

Bruce Schneier

Worrying almost seems to define the job of the CSO and CISO. The security chief is the corporate standard bearer for risk management in a world fraught with technical and human error, with hackers potentially lurking within and without.

Slideshow: A summary of the latest research on security management structures, buying trends and more

When asked what they worry about, CSOs and CISOs cite regulatory compliance and security controls overlooked in IT projects. Some acknowledge a general angst that simply boils down to the great unknown of system-wide chaos.

But are security pros worrying about the right things? When asked this, many independent observers — former CSOs or consultants working with CSOs — offer a different perspective. They think security pros need to worry more about retaining the best staff and should be careful not to become too consumed with regulatory compliance.

What has security pros worried?

Michael Barrett, CISO at eBay money-transfer service PayPal, says there is always an undercurrent of panic in the event that something blows up. “Most data centers are held together by sheer heroic effort," he says.

When Microsoft discloses software vulnerabilities, as it typically does every first Tuesday of the month, “We’re scurrying about to get patched, and I worry: What will the bad guys do before we patch everything?" Barrett notes.

Because PayPal is a global company, Barrett says he worries whether the company has the right interpretation on legislation and regulation related to data privacy around the world and the right controls in place.

His long-range concerns have him asking questions such as: In terms of stopping criminals and attackers, do we have the right investment mix and the right set of projects? Are new threats coming up that we need to re-balance that portfolio?

On occasion, Barrett’s concern is like an existential philosophy for preempting potential catastrophes. “What are we going to be worried about if we don’t worry about it?" he notes.

Such worries abound. Adam Hansen, the IT security chief at Sonnenschein Nath & Rosenthal in Chicago, says his main worry is data privacy and the possibility of a data breach.

“I may see something that makes me uneasy," Hansen says. “Or others may come and question me and say, 'let’s look into it.’" When that occurs, Hansen will seek out the corporation’s legal counsel for expert advice before any kind of inquiry. This kind of worry is “part of the security culture," Hansen adds.

At motion-picture processing and games-manufacturing studio Technicolor in Camarillo, Calif., whose clients include DreamWorks SKG, Sony Pictures Entertainment and Paramount, the top worry is attackers who might steal the entertainment content.

“I worry about the criminalization of hacking, the piracy, how it’s organized and well-funded now," says Drew Maness, Technicolor’s director of security policy. The creative content, whether pre- or post-production, is held in film canisters and digitally on servers, and Technicolor guards it through tight physical and IT security.

“We have security like a government installation, but this is a creative environment and I’m not a general," Maness says.

Risk management can sound like a “Mission Impossible" episode in large organizations with many lines of business, tens of thousands of employees, and lots of applications and networks to keep an eye on.

“I’m always on call," says Jalal Zamanali, senior vice president of IT and CISO at Temple-Inland in Austin, Texas, and its subsidiary Guaranty Financial Services, with combined interests in corrugated packaging, forestry, real estate and financial services.

Although he has a security staff of 17 to stay abreast of IT projects, Zamanali says his top concern is making sure security controls are on track in terms of regulatory compliance rules related to the Sarbanes-Oxley and Gramm-Leach-Bliley laws.

“The chief audit officer has to translate these laws into control points," Zamanali explains. Consequently, Zamanali — who reports to the chief risk officer — makes sure he meets with the chief audit officer about once a week to discuss compliance issues. “We’ve created a great partnership with the audit team," he says.

But Zamanali’s worries don’t stop with regulatory compliance. “Our job is to be political and technical, so I have to understand the objective of the business," he says.

That means making sure there are meetings with the CEO, the CFO, the CIO and line-of -business managers to hear their plans and make sure appropriate security is part of it.

Beth Cannon, CSO at merchant bank Thomas Weisel Partners in San Francisco, says audits to provide evidence that security policies are enforced in IT systems and processes are her main worry.

“This was triggered by the fact that we went public last year," Cannon says. “In the IT department, we organize the evidence that shows we’re following policy, only now the evidence has to be more structured for external and internal auditors."

Cannon says she’s looking into how to more easily aggregate data into IT-related evidence for reports and to promote a change in IT department functions.

“Sometimes it’s as simple as making sure there’s a change-control ticket, for example, instead of just flying back with an e-mail," she says. “For IT, sometimes it means a fundamental shift in behavior."

What CSOs should be worrying about

Consultants and other industry experts don’t dismiss the issues that CSOs and CISOs are worrying about, though they recommend a host of things that might warrant even more of security professionals’ attention.

CSOs should worry about losing their jobs because all too often their stance on security is seen by upper management as overly technical or a bad fit, says Jon Gossels, president and CEO of consultancy SystemExperts in Boston.

“There is a mismatch between what the CSO is trying to accomplish and what the business expects," says Gossels, who adds that CSOs should be worrying about “How do you develop expectations for a business that are achievable?"

All too often, Gossels says, the top heads of security “tend to get fired. The CSO position is a very high-turnover position. They lose their jobs all the time."

Brad Johnson, vice president at SystemExperts, say one key worry that CSOs should have is where and how they’re going to find and retain the best security-savvy employees.

IT departments are populated with employees who are generally “average, a bunch are good and a few are outstanding," Johnson says. “These few people that are outstanding make 80% of the decisions that are important."

Today’s economy is robust enough that competition is heating up considerably for the best security professionals in the bunch. “The key worry is the retention of outstanding employees," Johnson says.

The Palm Harbor, Fla.-based professional organization International Information Systems Security Certification Consortium (ISC2) has had 48,000 security professionals pass its exam for Certified Information Systems Security Professional and other certifications that can often be found listed on the business cards and resumes of CSOs and CISOs.

Eddie Zeitler, ISC2’s executive director, says the IT security chief is typically hired “to change the culture of the organization, to make it a culture of compliance."

Zeitler, whose 30-year career included positions as CISO at Volkswagen Credit and head of security at Charles Schwab and Fidelity Investments, says a top concern for CSOs should be whether they can find personnel with the right skills at the right price.

He points to computer forensics, which requires people trained in procedures to capture potential evidence and preserve it appropriately, as an example.

“Forensics is a specialty, but unless you’re a big company, the forensics people are very expensive," Zeitler says.

He added that ISC2, which conducts an annual survey of security professionals globally in conjunction with research firm IDC, believes the IT security employment field is expanding. And it appears that many inexperienced people are being hired as demand builds. This is a big security concern in itself from an insider threat perspective.

“FBI studies show that more than 75% of all attacks come from the inside. Every year I ask CSOs: Are you spending 75% of your budget on insider attacks?“ says Andreas Antonopoulos, senior vice president at Nemertes Research. “Inevitably their answer is a bemused stare. Nobody is dedicating their budget accordingly."

What to do about compliance

Howard Schmidt, the former security chief at eBay and Microsoft and former White House cybersecurity advisor, says there’s no doubt that regulatory-compliance issues are going to be a top worry for the CSO or CISO.

But Schmidt, now CEO of R&H Security Consulting in Issaquah, Wash., says there’s a danger in becoming too transfixed on regulatory compliance.

Instituting a Sarbanes-Oxley Compliance Committee, which includes the IT, legal, finance, human resources and audit departments, is one way to boost the effectiveness of the security chief, he notes.

But getting buried under regulatory-compliance reports puts other critical work on the back burner. “They’re being distracted to some level," Schmidt says. “You can be SOX-compliant and still not be secure."

Business processes need to change so that more of the logging, audit, and authorization and access-control information commonly requested in regulatory-compliance reviews is much more readily available, he says.

“The world of audit is changing," SystemExperts’ Gossels says. “It used to be periodic assessment of controls annually or semiannually, from the internal or outside audits. It’s evolving away from that to an ongoing compliance that at any time, you should be able to show audit rails and logs, firewall rules or produce user accounts."

When asked what they worry about, CSOs and CISOs cite regulatory compliance and security controls overlooked in IT projects. Some acknowledge a general angst that simply boils down to the great unknown of system-wide chaos.

Want to sign up to attend the event in Chicago Sept. 10-11, go to

Learn more about this topic

Slideshow: Network security by the numbersBruce Schneier casts light on psychology of security


The new reality for IT security


Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)