Dennis Devlin says the reason that CSOs like himself have gray hair is that they get paid to think about the worst things that can happen to their organizations. But companies that do this well don't have to scramble as much when IT security threats emerge, said Devlin, a VP with information services company Thomson.Devlin shared his experiences as an enterprise decision maker Tuesday at a Massachusetts Network Communications Council seminar on network security. Representatives from Cisco, Kroll Ontrack and RSA Security also participated.The Thomson executive chairs a council of senior security officers at his company, a\u00a0 38,000-person outfit, that work with line-of-business personnel. "Security is definitely a team sport," he said.Devlin said enterprise network security is evolving from what he called an egg model, in which the exterior is hard and the inside is soft, to a stealthy submarine model, where data is compartmentalized and protection is approached from the inside out.Thomson uses technology from a host of companies, from big names such as Cisco to a mix of start-ups. But beyond technology, end user awareness is hugely important, Devlin said. That's both in terms of what information they can and can't divulge to outsiders as well as what constitutes appropriate network behavior."We need to make people aware we can figure out what you will do even if you aren't blocked from doing it," he said. "That's a motivator to appropriate behavior."Among Devlin's biggest concerns is the vulnerability of the applications his company runs. This is particularly important with the move to Web applications and service-oriented architectures based on lots of small programs that need to be quickly deployable and can't afford to get slowed down by too many security checks. "Our applications are just as vulnerable as our operating systems," he said, noting that Thomson works closely with application vendors to ensure security.Devlin said he foresees a time when applications such as e-mail will be denied by default and only previously approved messages and senders will be allowed through.Thomson has no shortage of offers from vendors to help with its security needs. Devlin said he must get 20 calls a day and that his protocol is to tell people to send him a one-page explanation of their technology.He said he knows of counterparts at other organizations that head up huge security departments that get beat on like pi\u00f1atas by different business groups. Devlin said he prefers his company's distributed set-up, where his group oversees strategy and architecture, but leaves much of the rest of up to individual business groups. "I don't know how much we spend on security and I want to keep it that way," he said.While Devlin said he doesn't exactly wish bad things upon his counterparts at other companies, he did say that CSOs must pounce on opportunities to justify security investments when say, another company loses backup tapes or has its network crippled by a worm. "You want to use real-life business examples," he said.