By Ellen Messmer
Becoming the chief information security officer (CISO) of a corporation
makes you a strategic IT advisor to business management, the chief
information officer, and the rest of the information technology staff.
Just as no company is the same as another, the job of CISO -- or
alternately, chief security officer, which might include physical
security as well -- isnt either. The four security professionals who
share their priorities with us make it clear theres nothing
cookie-cutter about the top IT security job.
Name: Beth Cannon
Title: Chief security officer at San Francisco-based merchant bank
Thomas Weisel Partners
Installed base: 700 employees using servers, desktop and laptop
computers, plus 450 handhelds, mainly BlackBerry
Broad concerns about regulatory compliance were instrumental in creating
the chief security officer job at merchant bank Thomas Weisel Partners
back in 2004.
Among the drivers for the CSO job were the disaster-recovery rules
coming into play from the Securities and Exchange Commission (SEC) after
9/11, says Beth Cannon, the first-ever CSO there. We also needed to look
at Sarbanes-Oxley because we were planning to go public.
Thomas Weisel Partners decided to carve out the job in order to have a
point person acting as central liaison between the legal department, IT
and upper management in crafting IT security policy.
Cannon, who reports to the CIO, said she has made it a priority to have
telecom providers disclose how lines to the banks corporate clients are
routed to avoid an over-concentration in one area -- one horrible lesson
learned after the Sept. 11 terrorist act on New York -- and is looking
at VoIP as an option for some services to users.
While its not always easy to build unity internally around security
policies, one advantage, she says, is that her eight-year tenure at the
firm she was the chief technology officer there before accepting the
position as CSO - -meant Ive built a lot of relationships.
This helped in the situation when she had to sit down with the legal
department and IT to hammer out security policies she was advocating for
the hundreds of BlackBerries and laptops that employees take with them
for mobile computing.
While sometimes employees balk at policies such as password time-outs or
encryption that may add complexity, says Cannon, its easier to help
change a pattern of computer behavior when the discussion occurs between
people who personally know each other. The relationship really becomes
the key, said Cannon.
Name: Jalal Zamanali
Title: Senior vice president of information technology and chief
information security officer at Temple-Inland and its subsidiary
Guaranty Financial Services
Installed base: 16,000 end users, mainly in North America, in a
primarily Windows-based computing environment, with 1,200 servers and
One of the first things that Jalal Zamanali did after joining
Temple-Inland, a large firm with interests in corrugated packaging,
forestry, real estate and financial services, was to do a security
assessment to see where we are and where we ought to be, he notes.
He also organized the staff of 17 security specialists into three teams
one to conduct penetration testing, a second to handle security
monitoring and management, and the third dedicated to security
governance, which he describes as policy development and standards
"The standards specify elements in the policy, such as authorization,
authentication, and they're requirements," says Zamanali.
Now at Temple-Inland for about one-and-a-half years, one of Zamanalis
first priorities was deploying a security-information management product
to centralize security-event reporting, in this case one from NetIQ.
Without tools to identity some events were interested in, it can be like
finding a needle in a haystack, said Zamanali, who reports to the chief
risk officer, who in turn reports to the CEO. Upper managements concerns
generally relate to compliance with regulations that include
Sarbanes-Oxley and Gramm-Leach-Bliley, he notes.
Zamanali, who came to Temple-Inland after stints in top security jobs at
JP Morgan Chase, IBM Global Services, and Dell, says his early work life
actually began as an engineer designing nuclear submarines. Like many
others living through the age of rapid expansion of information
technology and security, he said he simply became fascinated with it and
decided to switch careers.
Name: Isabelle Theisen
Title: Chief security officer at First Advantage mortgage services
Installed base: About 6,000 workstations, PCs and servers, plus some
BlackBerry and cell phones, for about 4,500 employees
When Isabelle Theisen joined St. Petersburg, Fla.-based First Advantage
about one and a half years ago as its first-ever chief security officer,
she sensed the new job, where she reports directly to the company
president, was going to be dynamic.
This is intended to be proactive management, and a team of five people,
also all new, came in at that time, too, said Theisen, who says she
started out in her career as a firewall administrator at Ernst & Young,
with her previous job in security at American Express.
Her CSO team now works with 17 members of the First Advantage IT
department on security tasks that include risk evaluation, logging and
monitoring of all security devices. There are plans underway to monitor
all the servers.
One main security push is to deploy intrusion-prevention systems, in
this case TippingPoint, at first just in monitoring mode but eventually
to block attacks. Are we getting attacks, perhaps from Russia, China or
whatever? Theisen asks. Its about stopping that. As it deploys IPS,
First Advantage will probably phase out standalone intrusion-detection
systems that only monitor.
First Advantage has allowed me to build a three-year strategy and
roadmap in order to dovetail security with business plans for a Web
portal and other online efforts, Theisen notes. In her own security
division which she has organized, compliance reporting and building a
security operations center are two main areas of focus, with future
efforts to encompass identity management.
Name: Martin Carmichael
Title: Chief security officer at McAfee
Installed base: Windows-based computers to support over 3,600 employees
globally, many of whom also have BlackBerries and cell phones, not all
provided by McAfee
Although McAfee is a veteran in terms of selling security products, it
didnt really have a well-defined chief security officer position until
Martin Carmichael joined last October.
Before me there was a security officer who was a consultant from
Deloitte & Touche, says Carmichael. This is the first time the office is
Specifically, Carmichael takes on CSO responsibilities that include
defining risk management and compliance reporting for McAfee as well as
acting as the chief privacy officer on questions of personally
identifiable data. I report jointly to the CIO and to the board, says
Carmichael, who has 22 security specialists directly assigned to his
security group with 160 others at McAfee working collaboratively with
his division, has already organized a number of specialized teams that
include security operations, compliance and business continuity.
Carmichael noted that sometimes highly technical people dont communicate
as well with business people as wed hope. By formally building bridges
between the technical and business sides, Carmichael hopes to achieve
the best results within an allotted budget. Im here to reduce risk. I
fight for budget resources, said Carmichael. I cant imagine one CSO in
the world who doesnt lobby for more.
Carmichael comes to McAfee from the wireless handset insurance provider
Asurion Corp. where he was CSO, and has also held senior IT security
positions at Wells Fargo, Los Alamos National Laboratory, Oak Ridge
National Laboratory, and NATO. Carmichael fondly recalls working on one
of the very first commercial firewalls at Digital Equipment Corp.
While there are a number of useful security governance models,
Carmichael says his own favorite is a security-evaluation metric called
the Systems Security Engineering Capability Maturity Mode, which was
developed by the Defense Department and some industry partners to
evaluate both practices and products.
Its a process-based framework metric we could use at McAfee, Carmichael
All contents copyright 1995-2007 Network World, Inc.
Subscribe to the InfoSec News RSS Feed