First of all I look for experience. Have they in fact worked in areas of information security, either operationally or in terms of managing information security programs in a global company? I look for good project management experience, and I look for an information security professional who has had dealings with the customer and hasn't just been isolated in an information security corporate office, so to speak. I want somebody who has gotten out there and understood how the business functions. You can only be really successful if you truly understand how the business works so that you can support that. You've been involved in IT and information security for more than 20 years. How has information security changed during this time period?
Information security programs in general have changed in a big way. Fifteen years ago they were mostly focused around a mainframe-type environment. Eight or 10 years ago I was looking at very technical people in terms of skill sets. That was when we were setting up firewalls and e-business programs. We needed folks that really had that in-depth technical expertise. Today I'm looking for a mix of skills. I'm looking for information security skills, obviously, but I'm also looking for a mix of technical, project management and good business skills. It's my belief that you can't sell or obtain the support necessary for a good information security program without actually being able to sell it in terms of benefit to the business. It isn't just about technology anymore. What advice would you offer other security managers who feel they do not receive the same level of support from their organization's leaders?
Often times, it's an awareness issue. Information security and information risk management programs are implemented to enable business objectives. We aren't here to get in the way of business objectives, but to understand what the business goals are and then to design solutions that will help the business to achieve those objectives while managing information risk. If we can educate management on those benefits and advise them of the risks that we 're dealing with, I believe it's much easier to get their concurrence and their buy in for the programs. Often, information security professionals implement security for the sake of security. And we need to implement security as a business enabler. What do you view as the biggest threat to America's corporations today in terms of information security?
The trend to not take information security and information risk management programs serious enough within a company. I don't see evidence that companies in the industry at large are putting the kind of focus and attention on these programs that's required in terms of staffing, resources and priority within the organization. I believe we've made great strides here at Xerox, but in general, I don't think that that's the trend that we're seeing. There's a lot of talk about it, but I'm not sure that there's a lot of action behind that. You've developed the Xerox Information Risk Management Center of Excellence and initiated the Electronic Security Emergency Response Team, so it appears that Xerox Corp. is forward thinking when it comes to security. What is the company's philosophy with regard to security?
The company's philosophy is that information assets are very important. Consequently, we take all reasonable precautions to protect those information assets. And we've actually seen that happen in terms of support and management's backing for those programs we've initiated.