You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.













bState of Salaries b Key Characteristics of CISOs b Do’s and Don’ts of Résumé Writingb

Ranum versus Schneier: Do Certifications Matter? b Using Office Politics to Your Advantage b Tough Interview Questions

b A Recruiter’s Perspective on How to Land the Perfect Job b How to Network Effectivelyb

A Day in the Life of a Security Executive b Women in Security b What the C-suite Looks For b 10 Must-have Security Books

Salary b






Six-figure security jobs have become

common. Maybe you should slip this

article into your boss’s mailbox.


fFor 14 months, candidate after candidate trudged through Andre Gold’s office hoping

to be offered a coveted position with the Continental Airlines information security team.

Gold saw them all during his hunt for talent—CISSPs, CISMs, MSCEs, each with impressive

technical chops, but….

“They could not define risk, or they did it by what the CISSP book says,” says Gold, director

of information security for the airline. “To the business side, it’s important to have an

entity that can articulate risk in terms of the business. I can find people who write rules

and put in firewalls. All I ask them is, ‘Why? What’s the risk? How will it impact revenue?’”

Increasingly, those who can successfully align risk to business processes and communicate

that to management are cashing in with lucrative careers in information security,

and landing jobs with six-figure salaries, according to most prominent salary surveys.


Photograph by SCOTT KOHN

Salary b

“You will see



change, and

[CISO] packages


in line with

what chief


expect in an



director of information security,

Continental Airlines

Salary b

By that measure, Gold believes he is making himself

even more marketable by pursuing an MBA from Colorado

State University. In fact, some predict (and hope) that those

with business skills bolstering their bits-and-bolts knowhow

will get compensated in the same manner as a company’s

C-level executives.

“You will see compensation structures change, and

[CISO] packages more in line with what chief executives

expect in an organization,” Gold says. “That includes the


Putting Out Fires

Former Army intelligence officer focuses on crisis control

Working counterterrorism and counterintelligence in the U.S. Army, Don

Ainslie provided “black book” briefings that outlined threats in officers’

particular regions. As the current global security officer for Deloitte &

Touche, he supplies company executives with business intelligence

on regional threats. Ainslie is responsible for

securing the professional services firm’s information

and 125,000 employees in 150 countries,

and handling crisis management.

Since taking the position in 2004, Ainslie’s

leadership and management during crises

has been tested plenty of times with the Asian

tsunami in 2004, the London subway bombings

in 2005, various hurricanes and a building

fire in Spain.

He draws on the security foundation he

built during his four years in the Army and his


Title: Deloitte &

Touche Global

Security Officer

Key career move:

Taking the job

at Deloitte

experience working as a security consultant

at Trident Data Systems and Aegis Research. Both companies

specialize in serving government agencies, and

some of the work was sensitive and involved classified

data. He later joined Ernst & Young, where he helped

commercial clients with business continuity plans, risk

assessments and other security projects.

Deloitte tapped Ainslie in 1998 to help build an information

security consulting practice. He then headed global

information security until Deloitte combined its information and physical security

efforts, expanding his role.

His job isn’t about forcing people to do things or implementing security

for security’s sake within the company. Rather, it’s about showing how security

can help the bottom line and improve the services Deloitte provides its

clients, Ainslie says.

“You have to establish credibility—that you know what you’re talking

about—but also [show] that you can add value,” he says.w

base salary, incentive bonus packages and stock options.

I see [getting a CISO position] becoming competitive, but

you won’t see that competition drive down the price.”

Getting Down to Business

Various organizations conduct salary studies that focus

on slightly different job titles. But regardless of whose

numbers you look at, today’s average security manager

is making upwards of $100,000 per year. The SANS

Institute’s annual salary and career

advancement survey, released in

January, puts the median U.S. salary

for a senior security executive—such

as a CISO, CSO or chief risk officer—

just north of $106,000. Meanwhile,

according to compensation researcher


Foote Partners, a manager of information

security earns slightly more

than $101,000 per year.

Why do some security managers

earn more than others? “The global

nature of the position, responsibilities,

size of staff, industry and geographic

location,” explains Joyce

Brocaglia, CEO of Alta Associates, an

executive recruitment firm specializing

in information security. “People

who have skill sets and can articulate

certain situations to enable the business

to reach its goals can demand

better salaries.”

But don’t misinterpret six-figure

pay to mean that infosecurity pros

think they’re being adequately compensated.

With the money comes

new demands; regulatory pressures

have forced corporate boards to pay

more attention to information security,

and that added focus shines a

spotlight on the policies and people

that protect customer data and intellectual

property. There’s more on a

CISO’s plate than ever before.

“I haven’t seen compensation in

line with what major organizations

are expecting of CISOs,” says Continental’s

Gold. “Base salaries are still

low, and incentive plans that include

equity in companies are not on par

with what they should be. You’re asking

individuals to plug gaping holes

in organizations, especially if it’s a

public or Fortune 500 company, and

you’re still not compensating them


Salary b

what you should be.”

Some industries, like financial services, are starting to

put security under the risk management umbrella alongside

business continuity, disaster recovery and technology

risk management. Earlier this decade, regulated industries

scampered to meet the demands of auditors to have a

central figure responsible for risk and, ultimately, for

information security.


It’s the Can-do Attitude

Experian’s CISO makes security an enabler

James Christiansen was an engineering executive at Visa International

in the late ’90s when the company suffered a very public, embarrassing

incident involving a stolen laptop. Intent on preventing similar events, the

company’s IT president asked Christiansen what it should do. Christiansen

went to work on a business plan, scouring the Internet

and anything he could get his hands on regarding security

best practices. He handed the president his plan

with the recommendation that Visa create an information

security division and got a quick answer: Do it.

Eight years later, after becoming Visa’s first information

security officer and then the worldwide CISO for

General Motors, Christiansen has taken up a post as

CISO at credit and financial services firm Experian. He

credits his success to his combination of technical and

business experience.

At Visa, he directed the project management office



Title: Experian CISO

Key career move:

Switching from

engineering to


security at Visa

and worked in IT financial management before moving

into engineering. He also worked as the business relationship

manager of call center operations at Household

Credit Services, and, before that, worked in various

database, systems engineering and programming jobs.

His professional credentials include an MBA.

In Christiansen’s opinion, a CISO needs deep technical

grounding balanced with a strong understanding of

business; using jargon and fear to convince the CEO

of the need for security is “the loser approach,” he says.

“You need to be able to translate the issues into terms the CEO can


That skill of couching security in terms of driving revenue last year

helped him to earn an unusual honor for a security official: an award for his

contribution to Experian’s sales.

Instead of always saying no, it’s critical for a CISO to figure out a way

to build on the company’s initiatives while still retaining confidentiality and

data integrity, he says. “You’ve got to find a way to say ‘yes.’”w

Lloyd Hession, CSO for BT Radianz, a New York-based

provider of secure connectivity for the financial industry,

says that funding is being funneled to audit teams—away

from those doing security work. He fears salaries may

have leveled off for those reticent to take the plunge into

risk management. “The auditor keeps the CEO out of jail

and has a seat at the big table,” Hession says. “Audit people

have moved up in prominence while everyone else has

[moved] down.” According to Alta’s

Brocaglia, salaries have leveled off as

skills have gotten commoditized and/

or outsourced.

“If a premium is paid anywhere,

it’s for the information risk area,” she


says. “Folks who are truly paid the

most generously are the tri-athlete

candidates: they have strong business

acumen, a good technology base and

the ability to communicate. Companies

are asking for program managers

and people who tie together disparate

security aspects of business units,

manage the entire function and present

that package to the board or

senior executives.”

If paychecks are any indication,

companies value a combination of

IT and auditing skills. CISOs increasingly

have more of a business-process

background than one of strictly computer

security or engineering. SANS

found that managerial types—like

senior security executives (CISO,

CSO) and senior policy executives

(CTO, director of IT operations)—

make $106,326 per year, and technical

security pros earn on average $75,275

per year. Security analysts and network

security architects (positions

with a technical focus) earn a median

salary of $74,200 per year, according

to Foote Partners.

The CISO must have strong business

acumen and articulate technology

solutions to a diverse audience,

says Tracy Lenzner, CEO of Lenzner-

Group, an executive recruitment

firm. Says Brocaglia, “There’s a direct

correlation between the increase in

offers made to those candidates who

have a more holistic approach of risk

and executive management skills,

which are required for other executives

in a company.”


Photograph by DENNIS KLEIMAN

Salary b

“The auditor keeps the CEO out of jail and has a

seat at the big table. Audit people have moved up in

prominence while everyone else has [moved] down.”


Salary b


Rallying the Troops

Former FBI agent says understanding motivation is key

Tim McKnight got his start in information

security at the Federal Bureau of Investigation

as a special agent protecting the

nation’s critical infrastructure from cyberthreats.

His work as a G-man proved to

be invaluable training for his current job

as CISO of defense contractor Northrop

Grumman—not just because of the investigative

and security skills he developed,

but also the people skills. In his 10 years

at the FBI, he learned how to communicate

clearly, build strong teams and lead effectively.

“Understanding motivations—what gets

people going, what gets them out of bed

in the morning—definitely helps to build

relationships in the company, which leads

to making the security programs successful,”

McKnight says.

Communication and leadership skills are essential for a

CISO, who must be able to bounce between the data

center and the boardroom, and translate security needs


Title: Northrop Grumman CISO

& Business Group Director

Key career move:

Leaving the FBI for Cisco

into business terms, he says. The main

challenge for any CISO is getting past the

old image of being the “gloom-and-doom,

sky-is-falling guy.”

After leaving the FBI, McKnight moved to

the private sector and became steeped in

how an IT organization in a large corporation

operates. At Cisco Systems, he launched a

team that conducted security assessments

of companies Cisco acquired. He then

worked as IT security director for defense

and aerospace firm BAE Systems North


At the bureau, McKnight felt like a

pioneer in an exciting world of information

protection. Today, he thrives on the challenges

of information security and forging

ahead into uncharted territory.

“With the constant change in security

and business needs, I continue to feel like a pioneer,”

he says.w


Certifiably Skilled

Given this apparent premium on business skills, which

would you rather your security staff have: an MBA or a

CISSP? (See “Moving On Up,” p. 30.)

Certification debates are sticky. Many argue that certifications

are diluted and have lost their luster, especially

with larger enterprises; others value them because they

demonstrate a level of competency. One thing not up for

debate: Security certification holders earn more money.

According to SANS, if you have an ISACA certification

like the CISM and CISA, or (ISC) 2 ’s CISSP, you’re among

the highest paid security professionals. Those with

ISACA’s management and auditing certifications average

$98,571 in annual salary; a CISSP or SSCP earns $95,155,

on average. According to the survey, these wages exceed

the $79,430 average annual salary for those professionals

with vendor-specific certifications from Cisco Systems

or Microsoft, for example. Foote Partners, meanwhile,

looked at salaries associated with 109 certifications, and

has determined that holders of the CISA, CISM, CISSP,

SSCP, CCSP and SANS’s GIAC certifications are among

the highest paid professionals in the field.

While non-certified administrators got, on average, bigger

raises in 2005, their base pay was lower. According to

Foote Partners, compensation for certified professionals has

leveled off because of a slowdown in demand for entry-level

and intermediate security employees. However, the company

predicts that hiring and salaries for certified security

pros will increase for several reasons: The prevalent belief is

that security is a cost of remaining competitive; additional

global projects require complex security; criminally motivated

breaches are on the rise; and federal and industry

The median

salary for a

senior security




Salary b

The median salary for

security analysts or

network security architects

SOURCE: Foote Partners

regulations are calling the shots.

While some infosecurity managers, like BT Radianz’s

Hession, argue against discounting non-certified job

candidates simply “because they’re not a career security

person,” certification bodies insist that certifications are

perhaps more important factors in hiring security professionals

than in any other IT segment.

“You’re talking about someone with access to everything

in an organization. You want to rely on what a competent

organization said about what a candidate can do,”

says Corey Schou, vice chairman of (ISC) 2 ’s board of

directors. “If a security professional goes through a certification

program, it’s worth paying them more; they have

more skin in the game. We’re talking about, in some cases,

people getting $120,000 a year—you want to make sure

you’re buying good quality. We provide the due diligence

model. They’re not just walking in saying they’re good;

someone has sworn they’re good.”

Techie Revival

Keep in mind, too, that the definition of what’s good often

changes. Technical skills, in fact, may regain importance.


Leap of Faith

Bloomberg chief makes unusual leap from sales to security

Stephen Scharf’s path to becoming head

of information security at Bloomberg had a

rather unlikely start: sales.

Fresh out of college with a degree in

history, he got a job selling CAD/CAMbased

nesting software to manufacturers

of helicopters, tractors and other heavy

equipment. The software helped engineers

figure out the optimal parts positioning on

sheet metal to cut down on material waste.

He loved going out on the manufacturing

floor filled with big machinery—“every kid’s

dream,” Scharf says.

But, he was more interested in the products

than selling them. So, he the shifted

his focus to technical support and set his

sights on a career in IT. He worked as a

systems administrator and network engineer. Eventually, as

security-related projects filled more and more of his time,

he found his true calling.

Scharf transitioned to security consulting firm @stake

(acquired in 2004 by Symantec), where he performed both

IT security and physical security assessments mostly for


Title: Head of security at Bloomberg

Key career move: Volunteering with ISSA

financial services firms. He also expanded

his knowledge of industry trends by volunteering

for the Information Systems Security

Association (ISSA).

After four years of consulting work, he

joined Bloomberg, a major outlet for financial

data, news and analysis. Like everyone

who works for the company, Scharf doesn’t

have an official title; he heads up both

physical and IT security.

His varied background of sales, support,

engineering and consulting gives

him the skills necessary for the job, which

requires him to wear many hats, Scharf

says. Having IT experience coupled with

an understanding of business helps him

take a measured approach, weighing risks

with the cost of their remediation.

“We spend a lot of time and effort securing our environment,

and you have to be able to translate that into

the associated costs and benefits [from a business

sense],” he says.w



Salary b

Security salaries by…

…company size


Median salary

100,000 or more










Fewer than 250


…years of experience

Years of security experience Median salary

More than 20










Fewer than 3




Median salary





Financial Services














Retail and Wholesale $77,683







Median salary

ISACA (CISM, CISA) $98,571

(ISC) 2 (CISSP, SSCP) $95,155



Vendor (Cisco, Microsoft) $79,430




You do the math!

Everyone’s qualifications vary, but these salary estimates

can give you a sense of your earning potential.

For instance, if you have 12 years experience, a CISSP certification and work

in a Fortune 100 financial services company, your salary should be $88,503.

$89,452 + $95,155 + $86,388 + $82,927

SOURCE: SANS Information Security Salary and Career Advancement

Study, released January 2006


Photograph by JUPITER IMAGES

Salary b

Alan Paller, director of research for the SANS Institute,

says that people who have been writing security policies

and audit reports aren’t directly making their companies

more secure, and the state of security is much worse than

what managers have led people to believe.

“I can see just over the horizon a shift toward equally

valuing the rarer skill of securing systems to the common

skill of writing about and managing security,” Paller says.

“This means that the CISO has to focus more on the technology

side of the job. Most CISOs have known this secretly

and are intellectually prepared for it. It’s a challenging shift

because the professionals are being measured not on

whether they wrote a report, but whether they’ve made a

system secure. This forces more of a partnership between

security and operations, as opposed to them having a

‘gotcha’ relationship.”

Paller says that enterprises have been relying for too

long on process-based metrics—such as whether a policy

is written, disaster recovery plans are in place or in-house

security awareness training is conducted.

Now, some businesses are moving to attack-based metrics

that gauge the performance of people and systems

against particular vectors like DoS attacks, Trojans, rootkits

and spyware.

“As soon as you change the metrics, which is happening

now, you value the people who get scores up more

than those who write reports,” Paller says.

He stresses that his theory doesn’t devalue the skills of a

security manager; it just elevates the worth of those with

technical chops. With audits happening more frequently—

in many instances, quarterly instead of annually—organizations

are placing more emphasis on secure systems and


“Assuming the value you’re paying for management

skills is fair, you’re going to pay close to the same money

for those who can meet demand,” Paller says. “It isn’t only

about management.” Paller concedes that this shift may

take a couple of years.

In the meantime, many enterprises will pattern their

security offices around risk management, the very skill

that Continental’s Gold was searching for. “What’s hard to

test is aptitude. I wanted someone who could think outside

traditional security parameters,” he says.w

Michael S. Mimoso is senior editor of Information Security.Send

your thoughts on this article to feedback@infosecuritymag.com.


Skills b


On Up

How do you rise in the security ranks? Don’t

speak geek; use the language of business.


IMAGINE THIS: You’re lost in a foreign country. When you ask for help, everyone

answers in their native tongue. You’re frustrated and anxious because you can’t get the

information you need. You’re hoping someone will come along who speaks English to lead

you in the right direction.

This is how a CEO or CFO feels when your way of addressing a business problem

is to spit out tech-speak. “Many CEOs and CFOs are threatened by technology and are

not comfortable with technical terms,” explains Richard M. Entrup, CIO for Byram

Healthcare Centers, a company that specializes in delivering medical supplies to home

patients. “If you’re sitting in an executive staff or board meeting, you can’t be a techie.

You’re also not going to gain the necessary support and cooperation, or make your case,

unless the value proposition impacts the business.”

These days, your security know-how is a given. What it really takes to move up the

corporate ladder is the ability to translate security technology into business need—

whether that means adequately defining risk or helping pass an audit.

These are the key findings from Information Security’s exclusive research into what

it takes to land (and succeed at) a security manager’s job. We surveyed nearly 100

C-suite executives and upper-level corporate managers to get a sense of what they want

out of their organization’s top security pros.



Photograph by CHRIS LAKE

Skills b


have to step

back and

look at

the larger


—RUTH HARENCHAR, CIO, Hobart West Group

All IN A Day’s

BY BILL BRENNERDiary compiled by Bill Brenner

Photographs by Corey Strader

Between 4:00 to 4:45 a.m.:

Wakes up and gets ready for work.

6:00 a.m.:

Catches the ferry to Manhattan.

5:30 a.m.: Leaves his New Jersey

home and begins his morning


6:30 a.m.: Arrives in his New York

City office. Checks e-mail, reviews

expense reports and tackles other

administrative tasks for the first

30 minutes of the day.

For Anish Bhimani, Tuesdays are his busiest days, and he tries to work from home on Fridays whenever possible.

1:00 to 2:30 p.m.: Participates in a

privacy committee meeting.

3:30 to 5:00 p.m.: Leads a monthly

review on security initiatives.

2:30 to 3:30 p.m.: Attends a

meeting to discuss the response

to a regulatory exam.

5:00 to 5:15 p.m.: Reads his

e-mail; answers staff and

colleague inquiries.

calls from the operations group when necessary. It’s a tough job, day in and day out, but the JPMorgan Chase



When you’re a security executive for one of the world’s largest

financial institutions, it’s never a 9-to-5 workday. Here’s a look at

the typical day for ANISH BHIMANI, managing director of IT

risk management for New York-based JPMorgan Chase.

b Skills b

7:00 a.m.: Takes the subway

to another JPMorgan Chase

building in midtown Manhattan.

9:30 a.m.: Attends an IT risk staff

meeting, where budgets are reviewed,

and HR and communication issues

are discussed. The meeting breaks

around 11:30 a.m.

7:30 a.m.: Attends a weekly senior

management metrics meeting, where

production and control issues from

the previous week are discussed with

business CIOs and senior executives.

11:30 a.m. to 1:00 p.m.: Catches

up on e-mail and returns phone

calls. Eats lunch at his desk.

(Lunches often involve one-onone

meetings with staffers.)

But his work week never really ends as he continues to keep up on e-mails throughout the weekend and take

5:15 p.m.: Leaves the office

to catch the ferry. Reviews

documents on the ferry.

9:00 to 10:30 p.m.: Participates in

conference calls with business

associates in Asia and elsewhere.

6:30 to 9:00 p.m.: Arrives home,

spends time with his wife and

two children.

10:30 to 11:00 p.m.: Goes to bed.

managing director of IT risk management is up to the challenge.


Skills b


Bottom line: Working effectively

with the powers that be

is tantamount to nearly every

other skill. More than 85 percent

of C-level executives believes a security officer’s ability

to get upper management to buy into key security projects

and earn their respect is extremely or very important to his

or her career success.

Walk the Walk, Talk the Talk

It all starts with really knowing your business. More than 80

percent of the executives we surveyed believes that understanding

a business’s unique challenges is very important.

“CISOs are people who can be incredibly tech- and

detail-oriented, but they have to step back and look at the

larger picture,” says Ruth Harenchar, CIO for legal services

firm Hobart West Group.

The big picture includes the abilities to balance risk

against business needs and make good judgment calls,

explains Jeff Huegel, CSO of USi, an application service

provider of enterprise and e-business solutions. “If you

want to enter the executive ranks, you need to understand

business strategies, financial bottom lines and decision

making around the businesses’ organizational purposes,”

he says.

Security is not cut and dried. The keys to being a successful

security executive are balancing the risks and accurately

communicating and portraying some risks as more

serious than others, says Harenchar.

While security may be your expertise (and comfort

zone), it is important to realize that, when an executive

makes a business decision, it is only one piece of the puzzle.

“Security isn’t the linchpin; it’s just another facet to

understand,” says Peter Gregory, a senior security specialist

with more than 20 years of experience. “Security experts

aren’t the only ones bringing information to the table—

legal, R&D and sales, among others, have their say, too. A

good security professional wants business leaders to make

an informed decision.”

“During my tenure as CISO, I saw bright people that

were much better technically at security than I was,”

explains Ken Tyminski, consultant and former CISO for

a large financial services firm. “But they didn’t always

understand how to evaluate business risks, and often

Executives who say a

CISSP certification

is more important

than an MBA

focused on having the best

security technology rather than

addressing the business risk.”

Perceived shortcomings in

security professionals, say our survey respondents, are

seeing things as black or white and squelching projects

outright. As one senior-level executive put it, “You need to

lead the way, not get in the way.”

You have to be business savvy and be able to sit down

with anyone in the company to understand their problem

and their needs, says Huegel. “Most of the time you will

be talking to people who don’t know the fundamentals of

security technology,” he says.

Get Your Hands Dirty

On-the-job training beats any certification or diploma

hands down, according to our research. Ninety percent

of those surveyed believe that practical experience is the

most important characteristic when evaluating candidates

for a security job.

The ability to prove that you have secured networks

against external attacks and internal threats is also one

of the top considerations. “Security people aren’t made

in universities, they are made in the workplace,” says


However, when asked to choose a candidate with a

security certification or an MBA, nearly three-quarters of

the C-level executives surveyed feel that a CISSP certification

is more important. Certifications are a convenient and

useful way to eliminate unqualified applicants, says Gregory.

Adds Hobart West’s Harenchar: “I won’t talk to anyone who

doesn’t have a CISSP. I realize certifications aren’t perfect,

but they are a reasonable indicator.”

No certification under your belt? Executives recommend

that you position your skill set in line with what’s

required to earn one. “If [job candidates] don’t have a certification,

they should explain their job functions and put

in their résumé ‘CISSP-equivalent,’” says Craig Zachmann,

e-information manager for Riverbank Business Center, a

bank based in St. Paul, Minn.

“As an executive recruiter, I look for speaker’s presentations,

publications and industry participation,” says Tracy

Lenzner, CEO of LenznerGroup.

And an MBA? It’s icing on the cake, says USi’s Huegel.

Executives who say compliance

experience is a very important

trait in a security manager

Executives who say personal integrity

is important in a security professional


Skills b


Rubbing Shoulders

Want to build your (personal) networks?

Developing strong professional relationships often helps you land a new job.

The following organizations are good places to get together with other security pros.

Information Systems Audit and

Control Association (ISACA)


A professional organization for information

governance, control, security and audit

professionals that has more than 50,000


Institute of Electrical and

Electronics Engineers (IEEE)


A professional association with more

than 365,000 members promoting the

engineering process and knowledge about electric and

information technologies.

Information Systems

Security Association (ISSA)


A not-for-profit international organization

of information security professionals and




An association of businesses, academic

institutions, and state and local law enforcement

agencies dedicated to sharing information

and intelligence to prevent attacks

against the U.S. InfraGard chapters are geographically

linked with FBI field office territories.w

These days, another must-have component to any

infosecurity résumé is compliance experience. Eighty-eight

percent of those surveyed think that surviving an audit and

meeting regulatory demands are extremely important or

very important skills to have.

“Security is all about compliance. It’s difficult to find

companies that are not directly or indirectly asked to comply

with some regulation that touches the technology in

their business,” says Gregory. “You need to understand

auditing and put compliance high up on your résumé.”

“It’s a differentiator,” says one security executive at a

large healthcare solutions company. “It takes true grit to

go through a compliance effort. It’s a stressful process.”

While compliance is a sought-after skill, be careful when

you sprinkle your résumé with acronyms and security lingo,

say executives. Filling up on buzzwords can be a red flag.

“You need to ascertain whether candidates have been

reinventing themselves or are really doing something in

security,” says one executive at a healthcare solutions

firm. “If they have the buzzwords in there, there had

better be descriptors to back it up.”

A sure-fire way to poke holes in a résumé is to ask job

candidates to describe the acronyms.

“I tend to pick the most obscure and least popular platform

or acronym to wire in on. If you can’t speak to it

from hands-on experience, don’t put it on your résumé—

you might get called on it. This is where things start falling

apart during an interview,” says Byram Healthcare’s


Do you want to end your job search before it begins?

Brag about your glory days as a black hat. Hiring managers

value a security manager’s personal integrity above all else;

93 percent cite it as extremely important.

“If you were to boast that you’ve been a hacker or

cracker, I would say, ‘Have a nice day,’” says Gregory.

There are other ways to get those skills. Hacking contests

can prove your worth, but if it is unethical, we’re not

interested, says one security executive.

“You’ve got to be discreet, willing to take a stand and

be someone a CIO can really can count on,” says Hobart

West’s Harenchar.

She adds, “Security is not for the faint of heart.”w

Kelley Damore is editor-in-chief of Information Security.

Please send your thoughts on this article to feedback@info


Photographs by JUPITER IMAGES

Executives who say understanding

a business’s challenges is a very

important skill for security


Executives who say quantifying risk is

a very important skill for a security



Easy Climb TO THE

Want to

move up

the corporate

ladder? Here are

some skills that

you will need

to enter the




A strategic understanding of business and technology

risk management, with less focus on technical skills;

an understanding of how security supports business,

and of communication skills, negotiation skills,

budgeting, strategic planning, and people and

project management





A bachelor of science degree in computer science or engineering;

a master’s degree in information assurance; an MBA; a law degree

b Skills b

Skills b




‘glass ceiling’?

Women are





Rebecca Norlander

Joyce Brocaglia


nation’s top information security leaders convened to meet the press. All of them were women.

“We looked at each other and said, ‘Well, that’s odd.’ Then we all smiled because, really,

not that long ago we would have been the only ones in a sea of men,” recalls Lisa “LJ” Johnson,

the CISO for Nike, who was one of that notable trio.

As the role of the security executive has grown from that of a pure technologist to a risk

strategist, so have the ranks of women in companies’ infosecurity programs. Now, strong

communication, program and project management skills are highly valued.

“Those kinds of skills lend themselves naturally to women,” explains Joyce Brocaglia, CEO

of information security recruiting firm Alta Associates and founder of the Executive Women’s

Forum on Information Security, Privacy and Risk Management (see “An Executive Decision,”

right). “Women are attuned naturally to juggling a lot of things, and their experiences in

multitasking, communicating and negotiating are all contributing factors to their success.”

Adds Peter Gregory, a senior security strategist: “Women are very valuable; they think

differently. Talented women can and will stir things up in a good way. Men want to fix it quick,

women want to understand. Women improve a professional working team for a number of

reasons; they see problems differently and they bring a good perspective to the table.”

Johnson, who earned a degree in forestry and began her IT career through a temp job,

agrees that a shift in attitude toward information security as a business enabler, rather than

productivity blocker, has turned the roles of CSO and CISO into those of a problem-solver

with a firm grasp on risk management. That requires learning the language of business and

getting a firm understanding of how enterprises operate.

“It’s much more of a complex challenge, and it requires relationships and taking time to

understand a business before you can be understood,” she says. “Maybe that is what’s drawing

more women into the business.”

Rebecca Norlander, who came to Microsoft as an Office application developer and now

is general manager of its Security Technology Unit, believes that the ability to view issues

from myriad angles serves a useful tool in developing operational, tactical and strategic

goals. “I think women have a higher tendency to look at computers as tools in their daily

life that solve a larger problem and need to be treated with care, whereas a lot of men see [security]

as a technical challenge.”

As such, Norlander says, women are “uniquely positioned to paint a picture of what you’re

actually trying to accomplish, and then translate it into nitty-gritty technical details in the

solutions. Most men do the opposite.”

But some, like Suzanne Hall, AARP’s director of IT operations, says the workplace still

has a ways to go. “Security has a seat at the table and is reporting to the highest levels,” Hall

says. “As a woman, the impact is the same as it was for many women who first found them-


Skills b

selves at the executive table: Look around,

and you are often the only woman.”

Hall, an accountant by education who

not only runs AARP’s security division but

heads all of its IT operations, finds that

female business leaders are more plentiful in

other areas, such as marketing and human

resources, than in information security. “I

found most women that started out when I

did over time have chosen to stay home or

take on a profession that doesn’t require

them to be out of the home as much as

IT can,” she says. “It’s still not the most

hospitable climate for women in general.”

That’s one reason global companies such

as Microsoft are investing millions of dollars

into college scholarships, computer research

labs and recruitment of minorities and

women. It also hosts internal regional conferences

on work/life issues for its female

sales force to help them to better handle

schedules, child care and task-sharing in the

home and at work. Not that men don’t have

similar struggles once they become fathers,


An Executive Decision

At the first Executive Women’s Forum on Information Security,

Privacy and Risk Management in 2003, women executives raised a

glass, so to speak, to shattering glass ceilings.

The brainchild of Joyce Brocaglia, who is the CEO of information

security recruiter Alta Associates, the EWF has since expanded its

ranks and its influence by providing numerous, year-round networking


Yet the conference remains true to its original mission to provide

a unique opportunity for women to share advice and experiences

that ultimately benefit not just their gender but the industry

as a whole.

“With the EWF, women are aware of how other women succeed

in gaining influence, building consensus, getting their point of views

conveyed, and getting their voice heard both inside their own companies

and externally,” Brocaglia explains.w

but the workplace bias is still there, and these companies are working to fix that.

Adrienne L. Hall, senior director of Microsoft’s Trustworthy Computing initiative,

remembers being told by a customer that it was useless for them to build a work relationship

because she’d soon have children and leave. The customer later apologized for his

remark. “I think there’s always a tension around the time people spend at the office and at

home, and women have that aspect to consider in terms of when they would take a promotion

or when they would have a child,” she says. “There’s a need for increasing awareness

and sharing best practices for it.”

That’s one reason that, five years ago, Brocaglia founded the Executive Women’s Forum

(EWF), which meets annually to build alliances and advance careers.

“We help to make women aware of how other women succeed in gaining influence and

consensus and getting their point of views conveyed,” Brocaglia explains. New to this year’s

conference in September will be the announcement that an EWF fellow will receive a full

two-year scholarship to the Carnegie Mellon Information Networking Institute (INI) for her

master of science degree in information security technology and management. In addition,

the recipient will be mentored by an EWF participant. It’s another step in strengthening

female bonds and fostering cooperation, rather than competition.

“The biggest change I’ve seen in the 20 years I’ve been recruiting…is the huge change in

attitude of women from the old days of ‘I got here the hard way and you have to pay your

dues, too,’ to a complete turnaround, where women are incredibly gracious and willing to

help other women to succeed,” Brocaglia says.

“The women who attend the forum have this determination to share and help each other,

be open and honest, and really go out of their way to make other women successful.

And that’s a huge advancement,” she says.w


Adrienne Hall

LJ Johnson

Anne Saita is the former senior director of news and events for the Security Media Group at

TechTarget, the parent company of Information Security. Please send your comments to


Suzanne Hall



As a leader you need to see the

big picture and how security

affects business. “See issues

through the eyes of others,”

suggests Jones.


Learn when and when not to take

risks. “Be a problem solver and

facilitator of solutions that

meet the organization’s

objectives,” says Jones.


Even when the times are rough

and the threats are significant,

stay the course with the

appropriate amount of urgency

and commitment.


Try to be pragmatic and a little

paranoid at the same time. Think

logically and you’ll always be one

step ahead of the attackers.


Articulation is an undervalued

trait. In your own office, clearly

enunciate your directives and

your staff will follow through.

9 Habits

of Highly



Head to toe, what traits would

you build into the perfect CISO?

Here’s our top picks.


Being able to sit down in

the boardroom and translate

technology imperatives into

business sense will help

outline the cost benefits of

security to the higher-ups.


Take advice, but in the end

make the decisions yours.

“Be an educator—always

look to advance other peoples’

understanding of issues,”

suggests Jones.


Have the courage of your

convictions. If you do, your

staff will follow you even

if your decision is not

the most popular choice.

sSo, who is the perfect CISO? The case could

be made for Jack Jones, former CISO of

Nationwide Insurance (pictured right), who was

awarded the Excellence in the Field of Security

Practices trophy at the RSA Conference 2006 in


Jones led nearly 100 infosecurity professionals

through various aspects of risk management while

at the Fortune 100 company, and succeeded

in creating a security policy modeled after

ISO 17799.

Jones has been able to bring his strengths

to his new role. “Actually, one of the reasons

I chose to move on was so that I could apply

the lessons I’d learned and the skills I developed

at Nationwide to a new environment.”

Jones stays humble about his excellence

award and the accolades that come with it. But,

who does he feel is the perfect CISO? “Not me.

That person would need to be a superlative

communicator—in all media, with all audiences

at all levels inside and outside their organization.”

Wise words from a true infosecurity winner.w


Compiled from interviews conducted by Anne Saita, Michael S. Mimoso, Marcia Savage

and Kelley Damore, with input from Debby Fry Wilson, Adrienne L. Hall, Rebecca

Norlander, Lisa “LJ” Johnson, Suzanne Hall and James Christiansen.


Get your security objectives

the attention they deserve.

“Have the courage to take

unpopular positions, but be

open-minded and willing to

change,” says Jones.

Photograph by LARRY HAMILL

b Skills b


Savvy b




LEE J. KUSHNER is founder

and CEO of LJ Kushner

and Associates, a full-service

information security recruitment

firm. Please send

comments on this article

to feedback@infosecurity


No two CISOs

have the

same background,



ones have

similar skills.


for the past 10 years, I am asked one question more frequently than

any other: “How do you become a chief information security officer?”

Unfortunately, it’s the most difficult question to answer.

If you asked 100 CISOs how they landed their jobs, you would probably

find 100 different paths to the top. A few common traits might

emerge—for instance, few CISOs have come into their roles by exclusively

working in information security. Most have backgrounds in general

information technology, physical security, finance, legal, marketing and

even human resources.

While many security pros have been practicing information security

for a long time, we tend to forget that the industry has only developed

over the past 10 years—a relatively short time compared to other corporate

disciplines like finance and sales. In each of these other professions,

the career map is set; virtually all CFOs and vice presidents of

sales have met certain career prerequisites. In our industry, we have not had the time to develop

these requirements. Corporations view information security in many different ways; therefore

their leadership requirements vary according to specific needs.

In my experience, I have collected some of the requirements that are associated with all senior

information security positions:

Vision: When a company is looking for an information security leader, often it will be for

the first time: Management wants someone who can lay out the corporate blueprint for all its

future security plans. Having a clear plan on the role the information security team should play

as it relates to the core business practices of the company is key. In most cases, companies will

search for someone who has successfully implemented a vision at another company, or who has

witnessed the successful implementation of a security program in a company within the same


Range of information security knowledge: It may sound obvious,

but companies look to their information security leader for the answers to all of their information

security-related problems. Regardless of whether the issues are technical, personnel, procedural

or regulatory, the CISO is expected to address all of these angles. Businesses want people

who have developed an excellent foundation within the information security industry and who

have illustrated the ability to solve information security-related problems. In addition, when

organizations are hiring a CISO, they are traditionally searching for someone who can address

the current issues facing the organization and see future ones before they cause problems.

Communication: Communication is not only the hardest skill to measure, but also the

most critical to have. CISOs serve many different constituencies within an organization, and they




b Savvy b

are asked to communicate at different levels and to people with different degrees of technical skill;

they have to effectively express ideas up and down the management chain. Successful CISOs are

those who’ve earned the respect of the people leading the technical functions and can translate the

advantages of security controls to business unit leaders.

During the interview process, it is common for a potential CISO to be interviewed by a number

of people representing different functions within the organization. In these meetings, it is

essential that the candidate develop a consensus and establish a good feeling of collaboration. If

this interaction is successful, it will serve as a solid predictor of the CISO’s ability to understand

the complex needs of all constituents.

Execution and leadership: When talking about vision, being able to develop an

effective information security plan is only half the battle. CISOs are expected to map out their plan

and then execute against it; they are required to understand how to prepare a budget, build an

effective staff, make technology selections, report to executive management and solve problems.

Companies expect their leaders to lead. An effective CISO will understand how to get the most

out of his dedicated and shared resources. The company will look for the CISO to forge partnerships

with peers from other business units, and inspire them to accept—and hopefully embrace—

information security. Ideally, the CISO conveys the sense that he is enabling business functions,

not restricting them.

Passion: This is another seemingly obvious point, but it is the great differentiator. As a

newer discipline, information security isn’t always accepted by its peers within the corporate

infrastructure. Having a passionate leader often helps alleviate this problem. It’s been said many

times: Information security is a profession where no one recognizes when you are doing your

job well, but everyone notices when you are not.

The CISO carries the biggest bull’s-eye, and failure can lead to extreme public embarrassment

for both himself and the organization as a whole.

CISOs who can convey passion and conviction on a daily basis are effective in developing the

long-term respect necessary to implement their strategies throughout the company. It is this

cross-functional support that will often lead to a more security-conscious organization. These

organizations are traditionally the ones that stay out of the headlines.

When we ask information security professionals to list their career goals, becoming a CISO

is always high on the list. With the awareness that our industry has received and with increased

support from executive management, more information security leadership positions will be


And, the number of qualified information security professionals is growing, and competition

for these highly sought-after positions will continue to increase. It’s more important than ever

for CISO candidates to develop the skills listed above—and others—in order to ultimately land

and succeed at the job.w

Assess your professional skills.

To take our quiz, go to



Savvy b

Tough Questions


Your heart is pounding as the interviewer pelts you with questions

and hypothetical conundrums. We asked security pros what was

the best and toughest interview question they’ve ever answered.

Read on to prepare yourself before your next big interview.

What accomplishments are you most proud of,

both in business and personally, and why?

Suzanne Hall, director of IT operations for AARP, suggests that all interviewees be ready.

“Sometimes people just aren’t prepared when you ask this question, which surprises me,” she says.

How well do you think you’ll fit in with this company?

James Christiansen, CISO of Experian, warns not to let a question of culture knock you sideways.

He says that the toughest question is one where “the answer to the question is directly related to

the culture of the company, which you don’t yet know.”

Please give an example of a project that

did not go as well as expected.

Says LJ Johnson, CISO of Nike, “People think it’s a trick question when they’re asked about failures,

but what you want to know is what they learned from the experience.”

Will you be willing to travel?

“Who wants to be away from the family?” says Don Ainslie, global security officer for Deloitte & Touche.

“[Travel] is a balancing act I struggle with.” Know the answer before you go in to help make the

decision easier.

Why do you want to work for this company?

Rebecca Norlander, general manager of Microsoft’s Security Technology Unit, recalls the epiphany she

had when asked this question: “I realized that, actually, I didn’t…. Start by being true to yourself.

Don’t compromise your own moral compass—you have to live with yourself your whole life.”



Why are you the best person for the job?

“There are many qualified and great people that come to the table for roles in security and business at

large,” says Adrienne L. Hall, senior director of Microsoft’s Trustworthy Computing. “You need to be clear

on what you bring to the position that no one else does.”

How can you help this organization?

Debby Fry Wilson, director of security engineering and communications for Microsoft’s Security

Technology Unit, suggests that you do your homework. “A candidate who is well prepared and

genuinely seems to understand the challenges of my organization and can articulate how he or

she will help advance our strategy is ideal.”w




Savvy b


Résumé Do’s and Don’ts

We all know an employer looks at a résumé for 30 seconds.

Here are some surefire tips for standing out in the stack. BY LEE KUSHNER


Write an appropriate objective statement (or omit it all together).

Most employers will not read on if the objective does not match the position that they

are hiring for. For example, if a candidate were applying for a manager of network security

position at a financial services company, an effective objective statement would look

like this: “Objective: To find a leadership position that enables me to utilize my five years

of experience as a lead network security engineer and technical project manager at a global investment bank.”

Objective statements, however, are not a necessity. If a company has multiple positions that interest you, don’t paint

yourself into a corner.

Focus on the position you’re applying for.

The résumé should be geared toward the requirements of the specific position. (It’s OK to have different résumés

for different positions, but be careful about just changing the objective statement—it sometimes leads to a disjointed


For example, if the candidate were looking for a position within an industry outside of banking, he would most

likely omit the specific items geared exclusively towards financial services firms. In that case, the résumé should speak

to his accomplishments in network security and project management, with industry independence.

Explain short stays of employment.

Short durations of employment are the predominant reason qualified people aren’t considered for an opening. If you’ve

changed positions frequently, you need to explain the reasons for leaving in one line at the end of the description. Some

explanations read: “The position was eliminated,” “Recruited by my previous manager,” or “Offered a promotion.”

Employers react in different ways—candor is the best approach.

Watch the length.

A résumé reflects both your experience and your ability to communicate. It should provide a road map for tracking your

career and include all of your major accomplishments and responsibilities. Omit anything irrelevant to the current stage

of your career.

For example, a person less than five years into their career would want to list a student job at the university computer

lab. To someone with 25 years of experience, this type of a position would be inconsequential.

Here are some guidelines: The résumé should consist of two parts, a summary of career accomplishments (ranging

from one to three pages) and a listing of technical skills, certifications, education and related activities (a half page to

one page long). For every five years of work experience, you can add another page. The maximum number of pages you

should have is four. As you progress in your career, eliminate specific accomplishments from the end of the résumé and

replace them with new achievements.

Avoid being redundant.

Redundancy is the main culprit in making a résumé longer than it needs to be.

Listing the same bullet points under each of your last positions gives the appearance that you have not challenged

yourself. Be sure to accentuate your most current accomplishments in any position. Reinforce your skills, but avoid

overkill. Always point out promotions you have earned, and technical and non-technical skills that you have developed.

For example, if you authored an information security policy at your last three companies, list the accomplishment.

However, as you advance in your career, this skill should become a smaller component of your overall job function.


Savvy b


Appear overqualified.

Many people like to embellish their roles and importance in their current and past positions because they believe that

it will enhance their chances of being considered for a position. Aside from possibly being dishonest, this is often

counterproductive: Hiring managers do not want to give a job to someone who’d be bored with it and quickly leave the


Downplay technical skills.

It is common for candidates to put together a résumé that de-emphasizes their technical background to appear more

business-focused and managerial. Information security professionals should embrace their technical roots; this is often

a differentiating factor when employers make their choices. Include a list of your technical and information security

skills as the last page of your résumé.

For the record, I have never been told that one of our candidates would not be offered a position because his technical

skills were too strong.

Go crazy with buzzwords.

Be careful how you choose to illustrate your strengths, especially when they relate to different technologies, solutions

concepts and regulatory standards. As a rule, do not list anything that you cannot back up with a level of work experience

or that you would not be able to have an informed discussion on with someone who has expertise in the area. Chances

are that person will eventually interview you.

Appear to be an expert in everything.

One of the best things about information security is that it comprises so many sub-segments that it has created different

areas of subject matter expertise. Be careful about claiming to be an “expert” on more than one topic—it may cause

some doubts about your level of proficiency. Also, when you claim to be an expert, interviewers will often choose to

challenge you during an interview to validate your claim.

Overemphasize extracurricular industry activities.

Being selected to write or invited speak about particular industry topics can make you stand out from the pack.

Mention the speeches you delivered at various conferences, or the books you contributed to, during the interview itself;

on your résumé, be selective in what you include.

Employers want their employees focused on their position, not on external interests. Make sure a potential employer

views these activities as an enhancement to your job, not as a competition.w

For a sample of a well-crafted

résumé, visit





We asked some security pros to share their first jobs,

proving that even the biggest of fish was little once.

“It was the height of disco when I graduated high school. I went to work for my dad’s

construction company that summer as a common laborer. That September, I joined

the U.S. Navy with advanced training in electronics, specializing in ship-borne radar.”

TOM BOWERS, Information Security technical editor

“My first real job was delivering the daily Sacramento Bee when the only early morning paper was

on Sunday. I learned a lot about compromise, marketing (soliciting people to take the paper) and

setting priorities to business first, play time later.”

–KEVIN D. DICKEY, deputy CIO and CISO, Contra Costa County

“My first job was at an ice cream shop. I was hired as a ‘trainee,’ which allowed them

to pay me below minimum wage until I reached ‘sales staff’ status.”

–DESIREE A. BECK, technical lead, CME initiative, Mitre

“I was 14 and waitressing at a coffee shop. I watched people in business suits and wondered what kind

of exciting lives they had, and why they never tipped more than a dime.”

–TERRI CURRAN, director, corporate information security services, Bose

“My first job was helping test the efficiency of compressors used in air conditioners

and heat pumps. Although not related to infosecurity, this was a complex system of

measuring devices, data collectors and computers to run the tests and view reports.”

–RON GULA, CEO and CTO, Tenable Network Security

b Savvy b


Choosing to join the U.S. Nuclear Regulatory

Commission (NRC) is a conscious decision to

contribute to our world at large. And, a conscious decision to work

for a Federal Government agency recognized for its excellence as

an employer.

And, the NRC was recently recognized as one of the “Top 10 Best

Places to Work in the Federal Government” in 2005, according to the

Partnership for Public Service and American University’s Institute for the

Study of Public Policy Implementation.

We are currently seeking an IT Specialist (INFOSEC) to support efforts in

our Rockville, Maryland headquarters facility.

In this role, you will serve as an expert and consultant for assessing

information technology security and for developing policies, standards,

and guidelines related to the agency IT security program. You will also

assist the supervisor with responsibilities including planning and

executing all aspects of IT security oversight, organization/system

investment planning, financial management with multiple funding

sources, and contract administration; and recommend or determine

scope and extent of programs to be undertaken, organizational

arrangements, and resource allocation, etc., considering Commission

policy, priorities, workload, and urgent program requirements.

T Specialist (INFOSEC)

Applicants must possess a broad knowledge of IT policy, and its

implementation, and a demonstrated knowledge of IT security

oversight. Demonstrated experience applying Federal Information

Technology (IT) security requirements, guidelines, and cyber-security

methods to major IT programs and systems is key, as is knowledge,

understanding, and ability to apply Federal computer security standards,

guidelines, and methods to major IT programs and systems. Extensive

experience in the development or review of IT security policies and

procedures, IT system certification and accreditation, IT security

reporting, and IT security issue resolution is essential, as is thorough

knowledge and practical experience in the development of major IT

systems using Federal IT security guidelines and standards as part of

the System Development Life Cycle Methodology. Salary range for this

position is $107,521 - $139,774.

How to Apply

For a detailed job description and to apply on-line, please visit our Web

site at: www.nrc.gov/who-we-are/employment.html and refer to

Vacancy Announcement #OIS-2006-0015. To enter your resume into

the system, simply prepare it using WordPerfect, Word, or another

commonly used program, then copy and paste your resume into

NRCareers. Only on-line applications will be accepted through 7/28/06.

An Equal Opportunity Employer. U.S. Citizenship Required.


Savvy b


Office Politics BY


To be


you must



and your


tThere’s a fine line between success and failure, and sometimes the difference has

nothing to do with the merit of the project or how it’s presented. How many times

have you been in a situation where politics or personalities sidelined a decision?

Unfortunately, it happens a lot. Information security policies and procedures are

developed with the best of intentions, but often fail because they were created

without accounting for the dynamics of the organization for which they were built.

Success (as we’ve heard others say) has a lot to do with group dynamics,

motivation and leadership. Whether they realize it or not, the best infosecurity

professionals are situationally aware and attuned to what is happening to them

and their environment.

The MIT Sloan School of Management has developed a way to assess situations

around you. Called “Three Lenses,” it encourages managers to look at organizational

processes from different perspectives to understand how to excel.

• The strategic lens sees the organization as a machine that’s designed to

achieve business goals by completing required tasks. This perspective requires you to pay attention

to the organization’s reporting hierarchy, as well as informal teams and task force groups. What

rewards and incentives are used to encourage employees to achieve business goals? Here, organizations

flourish through methodical planning.

• The political lens is about power. It sees the organization from a Machiavellian point of

view and acknowledges diverse stakeholders who struggle for power and may have conflicting

interests. The organization’s progress depends on interest groups that compete for resources and

attention from top management. To succeed, you need to understand who has the power in the

organization and how employees can use that power to achieve their individual goals.

• The cultural lens examines the meaning that employees assign to situations. We all rely on

informal routines and traditions to guide decision-making; pay attention to cultural elements

such as the rituals and symbols that employees use. For instance, quarterly all-hands-on-deck

meetings are important at some businesses; others might encourage after-work socializing. Such

norms—or habits—are easy to take for granted, but they strongly affect behavior.

Which of the three lenses is right for your business? All of them. Unfortunately, as information

security professionals, we tend to approach security from a purely technological perspective,

without accounting for the “softer” side of organizations. Looking through three lenses into your

environment will change that.

Will this approach work? Well, consider a security management program that is not tied to the

organization’s strategic needs. If treated as a goal in itself, the program will become irrelevant.

Similarly, a security architecture that lacks support from influential individuals, regardless of

formal titles, will be unlikely to gain widespread adoption. A manager who devises policies that

conflict with the organization’s culture, perhaps by being too constraining or overly permissive,

will get stuck fighting a losing battle.

Try using these three lenses when you approach your next security project. They will help you

understand which measures are likely to work, which might fail, and who needs to be involved in

the development of the program in your organization.

When the security program succeeds, so will you.w

Lenny Zeltser is the information security practice leader at Gemini Systems, a New York-based

IT consulting firm, and an instructor at The SANS Institute. Please send your comments on this

column to feedback@infosecuritymag.com

Photograph by JUPITER IMAGES


Savvy b

Buy the Book

Buy the Book

These are our picks for the 10 must-have security titles you should always keep handy.


Firewalls and Internet Security: Repelling the Wily Hacker, Second Edition

By William R. Cheswick, Steven M. Bellovin, Aviel D. Rubin

Addison-Wesley Professional, www.aw.com, 455 pages, $36.95

This perimeter security text is perfect for serious security

professionals. The authors have mastered the art of applying

the theoretical to actual working applications; the result is

pragmatic advice from some of the finest minds in the field.

Hacking Exposed, Fifth Edition

By Stuart McClure, Joel Scambray, George Kurtz

McGraw-Hill, www.mcgraw-hill.com, 692 pages, $49.99

The original edition ushered in a new era of computer security

publishing, offering unabashed, technically detailed and fully

documented instructions on how to subvert the security of

a multitude of systems. Although some scoff at the series,

perhaps they just hate to see some of their secrets published.

Applied Cryptography

By Bruce Schneier

Wiley, www.wiley.com, 784 pages, $54.99

Any book that the National Security Agency prefers to remain

unpublished is bound to make great reading. Anyone doing

serious work with cryptography needs a copy. With a

comprehensive and excellent explanation of encryption

of all kinds, this book is second to none.

Practical Cryptography

By Bruce Schneier, Niels Ferguson

Wiley, www.wiley.com, 432 pages, $50

Schneier’s sequel to Applied

Cryptography will help you apply

your newfound cryptographic skills

successfully and securely. Think of

them as volumes one and two of

the same book.

Practical Unix & Internet Security

By Simson Garfinkel, Gene Spafford,

Alan Schwartz

O’Reilly, www.oreilly.com,

986 pages, $54.95

The authors deliver an excellent

introduction to a wide variety

of computer and network

security issues within UNIX.

Security Engineering

By Ross Anderson

Wiley, www.wiley.com, 595 pages, $70

This book details security

design and implementation

strategies employed in real-world systems. Although many

publishers employ strategies attempting to inflate the page

count (and price) of a book, this 600-page masterpiece could

only result from the dedication of an extremely knowledgeable

veteran of the field.

The Tao of Network Security Monitoring

By Richard Bejtlich

Addison-Wesley Professional, www.aw.com, 832 pages, $54.99

“Tao” means “The Way,” and that’s what this book is: the way

to evolve IDS operations. The network security monitoring

philosophy is both obvious and completely revolutionary.

The Art of Computer Virus Research and Defense

By Peter Szor

Addison-Wesley Professional, www.aw.com, 744 pages, $49.99

Szor’s mastery of virus/antivirus technology is unparalleled,

and this comprehensive tome is the definitive work on the

subject. Although parts are inaccessible to all but experienced

assembly language programmers, antivirus is such a critical

technology that every professional should read this book,

if only to understand the problem.

A Guide to Forensic Testimony

By Fred Chris Smith, Rebecca Gurley Bace

Addison-Wesley Professional,

www.aw.com, 560 pages, $54.99

As security pros, we stand a


chance of being called

into court to testify

about the results of our

investigations. The authors

do a good job of explaining

the challenges associated with

information security cases and

how to give the best testimony


Spam Kings

By Brian McWilliams

O’Reilly, www.oreilly.com,

256 pages, $22.95

This behind-the-scenes

account of real-life spammers

and spam fighters is a mustread

for anyone trying to

squelch junk e-mail. There’s

a freak show in here, but also a lot

of good intelligence on the inner

workings of the spam kings.w

Photograph by MICHELLE JOYCE


Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!