NEW YORK -- Meet your enterprise's new marketing person: the chief security officer.
In many cases, not only is this person putting out security fires in order to protect your company's digital assets, but he is also constantly waging another uphill battle to instill a culture of security inside your company.
This is happening on many layers, several chief security officers said during last week's Infosecurity Conference and Exhibition.
CSOs, for example, have to market security to the executive level in order to obtain spending money to enhance existing technology or upgrade to new technology. They also have to educate employees, make sure the rank-and-file has a solid grasp of the corporate security policy and, depending on the size of the firm, get their hands dirty and manage a team of engineers who keep networks clean from viruses and fortified against intrusions.
Kenia Rincon, information security manager for the Reader's Digest Association, Pleasantville, N.Y., said that the job of a senior security officer is to use security as an enabler to meet a company's business goals. Rincon reports to her company's chief information officer, who has a pipeline to the executive level. She considers herself fortunate that she and the CIO have a productive give-and-take relationship.
"When he says 'wireless; we should do wireless,' my job is not to say not to deploy wireless, but to say 'this is how we do wireless safely,' " Rincon said. "CSOs are marketing people. We market security to the executive level. It's a long road, and it continues to be an uphill road."
Rincon said it is vital that the CSO establish an enabling presence inside the enterprise.
"We do a lot of educating of senior people. They focus on the business, and sometimes they're not educated enough when it comes to security," Rincon said.
When it comes to educating employees, some companies hand them an IT security policy on Day 1 of employment and it gets shuffled among a large pile of 401k, insurance and tax forms. It gets little attention from the employee and less enforcement from management.
St. Jude Medical, Inc., St. Paul Minn., a Fortune 500 medical device manufacturer with operations in 22 countries, promotes IT security on its Intranet with a four-course, multi-language IT Security Awareness curriculum. The firm's 4,000 users must pass two of the four courses in order to use the corporate network, said David W. Stacy, CISSP, Global IT Security Manager for St. Jude Medical.
"Marketing like this is a key part of the program's success," Stacy said. "Our CIO is on the executive committee and she works for the chief operating officer. She's a strong advocate of IT security."
That channel was opened 21 months ago, when Stacy arrived. At the time, there was no security policy in place and Stacy made that priority No. 1. After gathering input from several departments, including legal, human resources, IT and others, Stacy and his team crafted a policy that was amenable to management. Following a six-month training program, it was delivered to users and rolled out on the company Intranet. Stacy's efforts to involve all rungs of the corporate ladder paid off handsomely.
"Executive management made it mandatory. To have the privilege of using the system, you had to complete the courses," he said. "That's a real key element to a secure environment: educate users on expectations and policies. We had to solve the people problem first, then deploy technology. With proper management support, it has worked just fine."
Reader's Digest's Rincon said that this kind of marketing of security can clarify the blurry return-on-investment question for executives.
"Access to the executive level can be a significant roadblock for CSOs," Rincon said. "Executives see security as a money issue. And in these times of reduced budgets, things are difficult."