This article can also be found in the Premium Editorial Download "Information Security magazine: Security 7 Award winners unmasked."
Download it now to read this article plus other related content.
by Michael S. Mimoso
Chief Information Protection Officer
Stress Reliever: Reads cloak-and-dagger mystery and detective novels.
Favorite geek site: www.wallstreetjournal.com
Engineering, plant management, sales management, marketing--Richard Jackson is fluent in all of them. In many ways, these proficiencies have served him better in his position as Chevron's chief information protection officer than a CISSP certification.
Jackson, a 25-year veteran of the company, moved to Chevron's information protection organization six years ago, and took charge of the group two years ago. Today, his peers believe Jackson is the model security officer of the future.
"Rich has become effective in his company; he's approached security not from a bits and bytes perspective, but from an influence perspective," says Larry Brock, CISO at DuPont and fellow member of the International Information Integrity Institute (I-4). "That's what it's going to take for CISOs."
Increasingly, security managers are morphing into conduits between IT and business units, and those who succeed will make risk assessment part of business processes.
Following the Texaco merger 31/2 years ago, the company's already substantial data assets have doubled. Jackson has had to contend with refineries daily generating a terabyte of process data, simulations on drill sites creating 10 terabytes of data, and 3-D seismic projects running simultaneously that account for 350 terabytes. All of it, along with data generated by enterprise systems like e-mail and accounting, has to be safely stored, kept available and archived to appease auditors.
In perhaps no other industry does risk assessment impact decision making more than in the oil business. Oil derricks stand for 30 years, and the data used to make location and depth decisions must be reliable and accessible. Jackson's primary focus has been on the people, policies, processes and technology involved in business decisions--in that order.
"Internally, my biggest impact on the company comes from the way I view security, which is different than folks with an IT background," Jackson says. "IT thinks of security as a technology, first and foremost. My perspective is different. We coined PPPT (people, policy, process, technology), and technology is last on purpose. It gives us a road map for everything we do."
Jackson's PPPT model is applied elsewhere inside Chevron, particularly with regulatory compliance projects. His group created a comprehensive set of policies and standards through a partnership with Chevron's audit organization, and created an internal consulting practice.
"I was brought in because my background was outside of IT," Jackson says. "Chevron wanted someone who could sell security to the organization. The big issue around cultural and behavioral changes is that we can't do it with technology alone, but through the hearts and minds of people. It won't happen until they figure out it's good for them to make a change."
Jackson's group has recently taken on additional responsibilities in the areas of privacy, record retention policies, export regulation compliance and intellectual property protection. Security is less a technology practice and more an overall risk management exercise.
"Rich is right on target. We share a common belief that our role is to enable and protect the business and not be the police force," Brock says.
"We have success when they seek us out rather than us chasing them down," he adds. "He's one of those new-generation CISOs who embody that new philosophy."
This was first published in September 2005