Impact PlayerImpact Player

David Bauer is two months into what he considers the best job of his 20-year career. Since Merrill Lynch & Co. appointed him chief information security and privacy officer in December, Bauer has become many things: technology manager, legal expert, policy maker, negotiator, salesman, and evangelist. It's a job that can require a shift in strategy at a moment's notice in response to what Bauer sees in the news each morning or hears during staff briefings. "Every day, you see a new virus alert or other vulnerability," he says. "You have to ask yourself, 'How will that change what I'm doing?'"

Bauer is experiencing firsthand the growing responsibilities and complexities of security management. While his career has pingponged between technology and security--he's been a network security manager, the head of engineering at Deutsche Bank, and VP of operations at an Internet outsourcing company--it's been five years since he headed security, as a principal at Morgan Stanley. This time around, the job is much harder.

The demand for wireless and Web services is growing, but they remain among the most difficult technologies to secure. And technology vendors aren't keeping pace with the difficulties. "There are more security problems, yet the solution set hasn't evolved well," Bauer says. Increased reliance on the Internet as a business-to-business medium raises issues of how to incorporate customers and business partners into the New York firm's security strategy. "Five years ago, it was easier to understand the edge of our data-center network and where the outside began," he says. "Now it's a lot harder to find that."

With the Merrill Lynch job, Bauer joins an elite group of Wall Street chief security executives who are at the top of their game, earning star status and salaries of up to $1 million, because of the financial industry's strict requirements for data protection. Now that job function is a model for other businesses, from health care to manufacturing, which are considering appointing a chief security officer for the first time.

Companies are elevating the security officer job to C-level status because the risks to data and people have multiplied in complexity within just a few years. Those companies appointing CSOs have decided that security is too complex and serious an issue to be managed by already-overburdened CIOs or relegated to midlevel managers with limited influence who sit layers below executive management. "Every day something happens that reinforces the importance of having firmwide visibility and dialogue around the topic of security," says John McKinley, Merrill Lynch's executive VP and chief technology officer. "It takes a uniquely skilled individual to manage it, someone who has credible knowledge of the business as well as a good technical grasp of the issues."

Because physical and information security don't drive earnings or revenue growth, security wasn't a hot topic among top executives--until recently, that is. New data-protection laws and growing threats from debilitating computer viruses, hackers, fraud, and terrorists have made security planning a top priority. McKinley meets regularly with Bauer, and what they discuss is often carried into meetings between McKinley and other top executives. "Security is much more of a boardroom dialogue than it has traditionally been," McKinley says. "It's our responsibility to make sure we have a robust set of controls in place."

The numbers show that top executives spend more time on security issues. information Research's 2001 Security survey, fielded by PricewaterhouseCoopers, found that 41% of CEOs, presidents, and managing directors are involved in setting security policy, and 52% weigh in on security spending. Both figures are 10 percentage points higher than in 2000.

Executive recruitment firm Christian & Timbers has seen a 10% increase in CSO-type placements in the past year and predicts that experienced CSOs will be in high demand in the next few years. Marc Lewis, who heads the Cleveland firm's corporate IT practice, estimates that 15% of companies he's worked with have CSOs, and about half of his clients are considering creating the job. Titles for the position vary, including chief information security officer, chief risk officer, and VP of security. Sometimes, as in Bauer's case, the job is combined with the responsibilities of chief privacy officer and includes business-continuity planning. Bauer reports to the head of global technology services.

Some observers say that too many companies make the mistake of burying security management within IT. Companies that hire CSOs realize that an effective security strategy is as much about communication and evangelism as it is about a secure IT infrastructure. "Security isn't a vendor. It's not an IT issue. It's really a corporate issue," says Al Pappas, CIO at San Francisco travel-reservations site Hotwire.

Still, CSOs aren't commonplace. Several research organizations have tried in recent months to pin down the number of midsize to large companies with executive-level security pros in place, with estimates as low as 10%. A study of 72 companies with more than $1 billion in annual revenue (a third of them with more than $5 billion) completed by management consulting firm Booz Allen Hamilton in December found that only half have chief security officers. Where there's no such officer, security responsibilities usually go to the CIO. And 97% of companies surveyed that don't have CSOs say they don't plan to hire one within the next three months.

Christian Byrnes, a security analyst with Meta Group, says those companies that don't create CSO jobs set themselves up for potentially crippling security breaches. "Security officers are required to govern behavior, policy, and processes that cross the organizational boundaries of a company and that requires executive-level oversight," he says. When security is managed several layers below top management, it's largely ignored by most everyone in the company. Hal Tipton, co-founder of the International Information Systems Security Certification Consortium Inc., agrees: "If you don't have the support of top management, your security program will wither on the vine."

Why the resistance to an executive security position? For one thing, CSOs aren't cheap. Salaries range from $200,000 to the million-dollar level for Wall Street types. And, not surprisingly, in many companies, there's pushback about having "another cook in the kitchen at a high level," Byrnes says. Despite the resistance, more companies will support executive-level security management. About 20% of Meta Group's 2,000 corporate clients have CSOs on board, and Byrnes predicts that will grow to 40% within five years.

Other recruiters say they hear a lot of talk about bringing in CSOs, but hiring managers have trouble getting salary approvals because of the poor economy. However, recruiters predict stronger growth in security-executive placements when the economy improves and budget constraints ease. Alta Associates Inc. typically places CSOs at financial firms in New York but is starting to see demand coming from other industries, such as health care, Alta CEO Joyce Brocaglia says.

Many businesses are reviewing the relationship between physical-and information-security management; some have CSOs who manage both areas, while others divide those duties (see "Security On All Fronts," Feb. 11, 2002). The Port Authority of New York and New Jersey, which manages transportation at airports, bus terminals, bridges, tunnels, and marine ports, favors the second method. The Port Authority felt the impact of the Sept. 11 attacks firsthand. Its headquarters were in the World Trade Center, and 75 employees lost their lives that day. Thousands of desktops and departmental servers were destroyed, prompting the agency to re-examine its business-continuity plans along with its security strategy.

Following Sept. 11, the Port Authority hired a director of physical security who works closely with the existing director of information security who reports to chief technology officer Greg Burnham. "In some sense, the biggest challenge we have is finding ways to improve our physical security through technology, so there will be more communication between physical security and technology security," Burnham says. The Port Authority is looking at sophisticated monitoring technologies to reduce the number of police officers it needs to have on duty. "The cost of physical security is getting to be too high," he says.

Qualifications vary for the top security job. CSOs tend to come from one of two backgrounds: IT managers who learn security on the job and people with a security background who gain an understanding of technology.

Merrill Lynch's Bauer is one security executive who came up through the IT ranks. He says the years he spent working as an engineer on distributed computing environments helped, because he knows where security risks are and has kept track of the evolution of important products and technologies. "There's been progress in intrusion-detection technologies but not so much in Web services," he says.

Meanwhile, Bauer is well-versed in legislation such as the Gramm-Leach-Bliley Act, which, among other things, makes boards of directors of financial institutions responsible for understanding security risks to data at their companies. Now Bauer finds himself working not just with auditors but with lawyers to determine whether security measures meet the spirit and letter of the law, to keep his company safe from crippling lawsuits that could result from security breaches.

James Wade, who was appointed VP and CSO for the Federal Reserve System last year and is president of the International Information Systems Security Certification Consortium, came from the other path. His career in security dates to the 1970s when he was an Army special agent with military intelligence. In the 1980s, he worked as director of security for a large manufacturing company, where he was responsible for information and physical security. "My role was almost as a cop. I did a lot of investigation and fraud analysis," Wade recalls. After that, he began expanding his knowledge of technology, working at a research-and-development organization as a program manager in areas such as biometrics, access control, and artificial intelligence. He's done security consulting work in business and government for networks and firewalls, led the Department of Energy's security inspections of U.S. laboratories and nuclear-weapons sites, and was co-CSO at Verizon Wireless. In his role at the Federal Reserve in Washington, Wade works with the Fed's 12 regional banks to establish security policies.

Regardless of a CSO's qualifications, and of increasing external risks, security remains a tough sell in many companies. Business-unit managers see it as pure expense, with the potential to muck up efforts to find new selling opportunities or business partnerships. Micki Krause, who's been director of information security for medical insurer PacifiCare Health Systems Inc. in Santa Ana, Calif., for six years, says she needs a healthy dash of sales skills to get the job done. "You're selling risk mitigation, and that's very akin to selling insurance," she says. "No one wants to admit they have to have protection against all the bad things out there."

Rick Lacafta, CSO and executive VP at Citigroup subsidiary Travelers Insurance in Hartford, Conn., says executive buy-in is critical. If he doesn't have the ear of key decision makers, his efforts to convince the 25,000 other employees to take security seriously will ring hollow. "Those decision makers have to absolutely understand what's at stake," says Lacafta, who started 28 years ago as an entry-level IT worker at Travelers.

Security management "is only recently something that executive managers have been concerned about, and that's an important change," agrees Lacafta's boss, Diana Beecher, Travelers' senior VP and CIO. The executive-security job emerged in part because of the integration of many IT functions, she says. "Rick focuses on the holistic view of security around all of our different technologies. Before the use of the Internet in enterprise technology, there wasn't a perception that it was necessary to focus on security from a holistic perspective."

His proactive approach to security hasn't always won him allies, Lacafta says. There have been times when he's had to stick to his guns, even though it delayed a potentially profitable project for the company, until a better security approach was found. "If data requires protection, you don't want to lower standards to avoid a difficult discussion," he says. "It's a job that's not for the faint of heart."

That dichotomy defines the job: Security is a top priority at many companies, yet those managing security must constantly negotiate to convince top executives to buy into security measures. CSOs know that it comes with the territory. But with growing concern about hacking, viruses, and even terrorism, security executives increasingly find they have the clout to come out on top in these corporate debates.

Illustration by Gary Taxili
Photo by Stephen Aviano