This article can also be found in the Premium Editorial Download "Information Security magazine: Security 7 Award winners unmasked."
Download it now to read this article plus other related content.
Rx for Success
by Susan Hildreth
Vice president of enterprise security
Stress Reliever: Enjoys biking and precision rifle shooting.
Favorite geek site: www.openbsd.org
Patrick Heim has a long list of daily issues--from project planning and budgeting to evaluating new tech- nologies--but what keeps him awake at night? Worms. Given that health care giant McKesson Corp. is the 16th largest industrial company in the U.S., with more than $80 billion in annual revenues, he has good reason to worry.
"As worms get smarter, they have a higher probability of causing significant damage to the corporation with more than 20,000 computer users," says Heim.
And he should know. The 35-year-old vice president of enter- prise security is known for his thoughtful analysis of security risks and his propensity for seeing new ones lurking on the horizon. It's an instinct honed by years spent in IT security at various companies, including eNetSecure and nCircle.
His career started as a security auditor for Ernst & Young, where he was engaged in ethical hacking. "You really gain a great degree of insight into the threats that are out there and the reality of these threats," he says. "It makes it less abstract once you've participated in ethical hacking, and helps you do a more realistic risk assessment in your work."
Of course, Heim wouldn't have been hired to ethically hack anything had he not already exhibited an expertise in that area. He had been tinkering with computers and modems since the age of 10, and had his first brush with the world of hacking when he and some friends found an unprotected area on a car dealership's system where, they discovered, they could submit orders for new cars. But, Heim is quick to add, they never actually submitted a bogus order.
Those hands-on experiences messing with code as a teenager and, later, hacking into systems for E&Y have helped him understand how fairly mundane security risks can bring down a corporate network.
"The biggest issue is the availability of systems. If we do a real analysis of what the domains of security are, you have confidentiality, integrity and availability. It's the availability of our environment that we need to really look out for more than anything else," he says.
His deep understanding of technology makes it easier for IT colleagues and subordinates at McKesson to hash out their technical concerns with him--which is something they cannot always count on being able to do with an executive.
As Gary Masters, manager of systems engineering at McKesson, explains, "He's a manager and leader, but he's also a very competent technician. He not only knows direction we need to take, he also understands the ramifications of the technology."
Of course, as the top IT security executive at McKesson, Heim must also be able to speak the language of business and management. With a master's degree in finance, Heim appreciates the business aspect of IT investments and can explain IT security risks in terms of their impact on the McKesson bottom line.
Justin Dolly, chief security officer at Macromedia and a colleague and friend of Heim, describes him as someone who can bridge the gap between IT and business. "The difficult things about security are being able to identify and weigh risks--what those risks could mean and which ones you can and cannot live with--and then explain those risks to high-level management to get buy-in from the top," says Dolly. "There are a lot of security guys out there who understand the ones and zeros, but few who have that understanding and can interact with the business side well."
This was first published in September 2005