COMPARE YOUR SALARY (P. 20),
YOUR CAREER &
ASSESS YOUR SKILLS (P. 30), AND
RATE YOUR SAVVY (P. 42) IN OUR
EXCLUSIVE CAREERS GUIDE.
bState of Salaries b Key Characteristics of CISOs b Do’s and Don’ts of Résumé Writingb
Ranum versus Schneier: Do Certifications Matter? b Using Office Politics to Your Advantage b Tough Interview Questions
b A Recruiter’s Perspective on How to Land the Perfect Job b How to Network Effectivelyb
A Day in the Life of a Security Executive b Women in Security b What the C-suite Looks For b 10 Must-have Security Books
Six-figure security jobs have become
common. Maybe you should slip this
article into your boss’s mailbox.
BY MICHAEL S. MIMOSO
fFor 14 months, candidate after candidate trudged through Andre Gold’s office hoping
to be offered a coveted position with the Continental Airlines information security team.
Gold saw them all during his hunt for talent—CISSPs, CISMs, MSCEs, each with impressive
technical chops, but….
“They could not define risk, or they did it by what the CISSP book says,” says Gold, director
of information security for the airline. “To the business side, it’s important to have an
entity that can articulate risk in terms of the business. I can find people who write rules
and put in firewalls. All I ask them is, ‘Why? What’s the risk? How will it impact revenue?’”
Increasingly, those who can successfully align risk to business processes and communicate
that to management are cashing in with lucrative careers in information security,
and landing jobs with six-figure salaries, according to most prominent salary surveys.
20 INFORMATION SECURITY July 2006
Photograph by SCOTT KOHN
“You will see
in line with
expect in an
director of information security,
By that measure, Gold believes he is making himself
even more marketable by pursuing an MBA from Colorado
State University. In fact, some predict (and hope) that those
with business skills bolstering their bits-and-bolts knowhow
will get compensated in the same manner as a company’s
“You will see compensation structures change, and
[CISO] packages more in line with what chief executives
expect in an organization,” Gold says. “That includes the
Putting Out Fires
Former Army intelligence officer focuses on crisis control
Working counterterrorism and counterintelligence in the U.S. Army, Don
Ainslie provided “black book” briefings that outlined threats in officers’
particular regions. As the current global security officer for Deloitte &
Touche, he supplies company executives with business intelligence
on regional threats. Ainslie is responsible for
securing the professional services firm’s information
and 125,000 employees in 150 countries,
and handling crisis management.
Since taking the position in 2004, Ainslie’s
leadership and management during crises
has been tested plenty of times with the Asian
tsunami in 2004, the London subway bombings
in 2005, various hurricanes and a building
fire in Spain.
He draws on the security foundation he
built during his four years in the Army and his
Name: DON AINSLIE
Title: Deloitte &
Key career move:
Taking the job
experience working as a security consultant
at Trident Data Systems and Aegis Research. Both companies
specialize in serving government agencies, and
some of the work was sensitive and involved classified
data. He later joined Ernst & Young, where he helped
commercial clients with business continuity plans, risk
assessments and other security projects.
Deloitte tapped Ainslie in 1998 to help build an information
security consulting practice. He then headed global
information security until Deloitte combined its information and physical security
efforts, expanding his role.
His job isn’t about forcing people to do things or implementing security
for security’s sake within the company. Rather, it’s about showing how security
can help the bottom line and improve the services Deloitte provides its
clients, Ainslie says.
“You have to establish credibility—that you know what you’re talking
about—but also [show] that you can add value,” he says.w
base salary, incentive bonus packages and stock options.
I see [getting a CISO position] becoming competitive, but
you won’t see that competition drive down the price.”
Getting Down to Business
Various organizations conduct salary studies that focus
on slightly different job titles. But regardless of whose
numbers you look at, today’s average security manager
is making upwards of $100,000 per year. The SANS
Institute’s annual salary and career
advancement survey, released in
January, puts the median U.S. salary
for a senior security executive—such
as a CISO, CSO or chief risk officer—
just north of $106,000. Meanwhile,
according to compensation researcher
Foote Partners, a manager of information
security earns slightly more
than $101,000 per year.
Why do some security managers
earn more than others? “The global
nature of the position, responsibilities,
size of staff, industry and geographic
location,” explains Joyce
Brocaglia, CEO of Alta Associates, an
executive recruitment firm specializing
in information security. “People
who have skill sets and can articulate
certain situations to enable the business
to reach its goals can demand
But don’t misinterpret six-figure
pay to mean that infosecurity pros
think they’re being adequately compensated.
With the money comes
new demands; regulatory pressures
have forced corporate boards to pay
more attention to information security,
and that added focus shines a
spotlight on the policies and people
that protect customer data and intellectual
property. There’s more on a
CISO’s plate than ever before.
“I haven’t seen compensation in
line with what major organizations
are expecting of CISOs,” says Continental’s
Gold. “Base salaries are still
low, and incentive plans that include
equity in companies are not on par
with what they should be. You’re asking
individuals to plug gaping holes
in organizations, especially if it’s a
public or Fortune 500 company, and
you’re still not compensating them
22 INFORMATION SECURITY July 2006
what you should be.”
Some industries, like financial services, are starting to
put security under the risk management umbrella alongside
business continuity, disaster recovery and technology
risk management. Earlier this decade, regulated industries
scampered to meet the demands of auditors to have a
central figure responsible for risk and, ultimately, for
It’s the Can-do Attitude
Experian’s CISO makes security an enabler
James Christiansen was an engineering executive at Visa International
in the late ’90s when the company suffered a very public, embarrassing
incident involving a stolen laptop. Intent on preventing similar events, the
company’s IT president asked Christiansen what it should do. Christiansen
went to work on a business plan, scouring the Internet
and anything he could get his hands on regarding security
best practices. He handed the president his plan
with the recommendation that Visa create an information
security division and got a quick answer: Do it.
Eight years later, after becoming Visa’s first information
security officer and then the worldwide CISO for
General Motors, Christiansen has taken up a post as
CISO at credit and financial services firm Experian. He
credits his success to his combination of technical and
At Visa, he directed the project management office
Title: Experian CISO
Key career move:
security at Visa
and worked in IT financial management before moving
into engineering. He also worked as the business relationship
manager of call center operations at Household
Credit Services, and, before that, worked in various
database, systems engineering and programming jobs.
His professional credentials include an MBA.
In Christiansen’s opinion, a CISO needs deep technical
grounding balanced with a strong understanding of
business; using jargon and fear to convince the CEO
of the need for security is “the loser approach,” he says.
“You need to be able to translate the issues into terms the CEO can
That skill of couching security in terms of driving revenue last year
helped him to earn an unusual honor for a security official: an award for his
contribution to Experian’s sales.
Instead of always saying no, it’s critical for a CISO to figure out a way
to build on the company’s initiatives while still retaining confidentiality and
data integrity, he says. “You’ve got to find a way to say ‘yes.’”w
Lloyd Hession, CSO for BT Radianz, a New York-based
provider of secure connectivity for the financial industry,
says that funding is being funneled to audit teams—away
from those doing security work. He fears salaries may
have leveled off for those reticent to take the plunge into
risk management. “The auditor keeps the CEO out of jail
and has a seat at the big table,” Hession says. “Audit people
have moved up in prominence while everyone else has
[moved] down.” According to Alta’s
Brocaglia, salaries have leveled off as
skills have gotten commoditized and/
“If a premium is paid anywhere,
it’s for the information risk area,” she
says. “Folks who are truly paid the
most generously are the tri-athlete
candidates: they have strong business
acumen, a good technology base and
the ability to communicate. Companies
are asking for program managers
and people who tie together disparate
security aspects of business units,
manage the entire function and present
that package to the board or
If paychecks are any indication,
companies value a combination of
IT and auditing skills. CISOs increasingly
have more of a business-process
background than one of strictly computer
security or engineering. SANS
found that managerial types—like
senior security executives (CISO,
CSO) and senior policy executives
(CTO, director of IT operations)—
make $106,326 per year, and technical
security pros earn on average $75,275
per year. Security analysts and network
security architects (positions
with a technical focus) earn a median
salary of $74,200 per year, according
to Foote Partners.
The CISO must have strong business
acumen and articulate technology
solutions to a diverse audience,
says Tracy Lenzner, CEO of Lenzner-
Group, an executive recruitment
firm. Says Brocaglia, “There’s a direct
correlation between the increase in
offers made to those candidates who
have a more holistic approach of risk
and executive management skills,
which are required for other executives
in a company.”
24 INFORMATION SECURITY July 2006
Photograph by DENNIS KLEIMAN
“The auditor keeps the CEO out of jail and has a
seat at the big table. Audit people have moved up in
prominence while everyone else has [moved] down.”
—LLOYD HESSION, CSO, BT Radianz
Rallying the Troops
Former FBI agent says understanding motivation is key
Tim McKnight got his start in information
security at the Federal Bureau of Investigation
as a special agent protecting the
nation’s critical infrastructure from cyberthreats.
His work as a G-man proved to
be invaluable training for his current job
as CISO of defense contractor Northrop
Grumman—not just because of the investigative
and security skills he developed,
but also the people skills. In his 10 years
at the FBI, he learned how to communicate
clearly, build strong teams and lead effectively.
“Understanding motivations—what gets
people going, what gets them out of bed
in the morning—definitely helps to build
relationships in the company, which leads
to making the security programs successful,”
Communication and leadership skills are essential for a
CISO, who must be able to bounce between the data
center and the boardroom, and translate security needs
Name: TIM McKNIGHT
Title: Northrop Grumman CISO
& Business Group Director
Key career move:
Leaving the FBI for Cisco
into business terms, he says. The main
challenge for any CISO is getting past the
old image of being the “gloom-and-doom,
After leaving the FBI, McKnight moved to
the private sector and became steeped in
how an IT organization in a large corporation
operates. At Cisco Systems, he launched a
team that conducted security assessments
of companies Cisco acquired. He then
worked as IT security director for defense
and aerospace firm BAE Systems North
At the bureau, McKnight felt like a
pioneer in an exciting world of information
protection. Today, he thrives on the challenges
of information security and forging
ahead into uncharted territory.
“With the constant change in security
and business needs, I continue to feel like a pioneer,”
Given this apparent premium on business skills, which
would you rather your security staff have: an MBA or a
CISSP? (See “Moving On Up,” p. 30.)
Certification debates are sticky. Many argue that certifications
are diluted and have lost their luster, especially
with larger enterprises; others value them because they
demonstrate a level of competency. One thing not up for
debate: Security certification holders earn more money.
According to SANS, if you have an ISACA certification
like the CISM and CISA, or (ISC) 2 ’s CISSP, you’re among
the highest paid security professionals. Those with
ISACA’s management and auditing certifications average
$98,571 in annual salary; a CISSP or SSCP earns $95,155,
on average. According to the survey, these wages exceed
the $79,430 average annual salary for those professionals
with vendor-specific certifications from Cisco Systems
or Microsoft, for example. Foote Partners, meanwhile,
looked at salaries associated with 109 certifications, and
has determined that holders of the CISA, CISM, CISSP,
SSCP, CCSP and SANS’s GIAC certifications are among
the highest paid professionals in the field.
While non-certified administrators got, on average, bigger
raises in 2005, their base pay was lower. According to
Foote Partners, compensation for certified professionals has
leveled off because of a slowdown in demand for entry-level
and intermediate security employees. However, the company
predicts that hiring and salaries for certified security
pros will increase for several reasons: The prevalent belief is
that security is a cost of remaining competitive; additional
global projects require complex security; criminally motivated
breaches are on the rise; and federal and industry
salary for a
26 INFORMATION SECURITY July 2006
The median salary for
security analysts or
network security architects
SOURCE: Foote Partners
regulations are calling the shots.
While some infosecurity managers, like BT Radianz’s
Hession, argue against discounting non-certified job
candidates simply “because they’re not a career security
person,” certification bodies insist that certifications are
perhaps more important factors in hiring security professionals
than in any other IT segment.
“You’re talking about someone with access to everything
in an organization. You want to rely on what a competent
organization said about what a candidate can do,”
says Corey Schou, vice chairman of (ISC) 2 ’s board of
directors. “If a security professional goes through a certification
program, it’s worth paying them more; they have
more skin in the game. We’re talking about, in some cases,
people getting $120,000 a year—you want to make sure
you’re buying good quality. We provide the due diligence
model. They’re not just walking in saying they’re good;
someone has sworn they’re good.”
Keep in mind, too, that the definition of what’s good often
changes. Technical skills, in fact, may regain importance.
Leap of Faith
Bloomberg chief makes unusual leap from sales to security
Stephen Scharf’s path to becoming head
of information security at Bloomberg had a
rather unlikely start: sales.
Fresh out of college with a degree in
history, he got a job selling CAD/CAMbased
nesting software to manufacturers
of helicopters, tractors and other heavy
equipment. The software helped engineers
figure out the optimal parts positioning on
sheet metal to cut down on material waste.
He loved going out on the manufacturing
floor filled with big machinery—“every kid’s
dream,” Scharf says.
But, he was more interested in the products
than selling them. So, he the shifted
his focus to technical support and set his
sights on a career in IT. He worked as a
systems administrator and network engineer. Eventually, as
security-related projects filled more and more of his time,
he found his true calling.
Scharf transitioned to security consulting firm @stake
(acquired in 2004 by Symantec), where he performed both
IT security and physical security assessments mostly for
Name: STEPHEN SCHARF
Title: Head of security at Bloomberg
Key career move: Volunteering with ISSA
financial services firms. He also expanded
his knowledge of industry trends by volunteering
for the Information Systems Security
After four years of consulting work, he
joined Bloomberg, a major outlet for financial
data, news and analysis. Like everyone
who works for the company, Scharf doesn’t
have an official title; he heads up both
physical and IT security.
His varied background of sales, support,
engineering and consulting gives
him the skills necessary for the job, which
requires him to wear many hats, Scharf
says. Having IT experience coupled with
an understanding of business helps him
take a measured approach, weighing risks
with the cost of their remediation.
“We spend a lot of time and effort securing our environment,
and you have to be able to translate that into
the associated costs and benefits [from a business
sense],” he says.w
July 2006 INFORMATION SECURITY 27
Security salaries by…
100,000 or more
Fewer than 250
…years of experience
Years of security experience Median salary
More than 20
Fewer than 3
Retail and Wholesale $77,683
ISACA (CISM, CISA) $98,571
(ISC) 2 (CISSP, SSCP) $95,155
Vendor (Cisco, Microsoft) $79,430
28 INFORMATION SECURITY July 2006
You do the math!
Everyone’s qualifications vary, but these salary estimates
can give you a sense of your earning potential.
For instance, if you have 12 years experience, a CISSP certification and work
in a Fortune 100 financial services company, your salary should be $88,503.
$89,452 + $95,155 + $86,388 + $82,927
SOURCE: SANS Information Security Salary and Career Advancement
Study, released January 2006
Photograph by JUPITER IMAGES
Alan Paller, director of research for the SANS Institute,
says that people who have been writing security policies
and audit reports aren’t directly making their companies
more secure, and the state of security is much worse than
what managers have led people to believe.
“I can see just over the horizon a shift toward equally
valuing the rarer skill of securing systems to the common
skill of writing about and managing security,” Paller says.
“This means that the CISO has to focus more on the technology
side of the job. Most CISOs have known this secretly
and are intellectually prepared for it. It’s a challenging shift
because the professionals are being measured not on
whether they wrote a report, but whether they’ve made a
system secure. This forces more of a partnership between
security and operations, as opposed to them having a
Paller says that enterprises have been relying for too
long on process-based metrics—such as whether a policy
is written, disaster recovery plans are in place or in-house
security awareness training is conducted.
Now, some businesses are moving to attack-based metrics
that gauge the performance of people and systems
against particular vectors like DoS attacks, Trojans, rootkits
“As soon as you change the metrics, which is happening
now, you value the people who get scores up more
than those who write reports,” Paller says.
He stresses that his theory doesn’t devalue the skills of a
security manager; it just elevates the worth of those with
technical chops. With audits happening more frequently—
in many instances, quarterly instead of annually—organizations
are placing more emphasis on secure systems and
“Assuming the value you’re paying for management
skills is fair, you’re going to pay close to the same money
for those who can meet demand,” Paller says. “It isn’t only
about management.” Paller concedes that this shift may
take a couple of years.
In the meantime, many enterprises will pattern their
security offices around risk management, the very skill
that Continental’s Gold was searching for. “What’s hard to
test is aptitude. I wanted someone who could think outside
traditional security parameters,” he says.w
Michael S. Mimoso is senior editor of Information Security.Send
your thoughts on this article to firstname.lastname@example.org.
July 2006 INFORMATION SECURITY 29
How do you rise in the security ranks? Don’t
speak geek; use the language of business.
BY KELLEY DAMORE
IMAGINE THIS: You’re lost in a foreign country. When you ask for help, everyone
answers in their native tongue. You’re frustrated and anxious because you can’t get the
information you need. You’re hoping someone will come along who speaks English to lead
you in the right direction.
This is how a CEO or CFO feels when your way of addressing a business problem
is to spit out tech-speak. “Many CEOs and CFOs are threatened by technology and are
not comfortable with technical terms,” explains Richard M. Entrup, CIO for Byram
Healthcare Centers, a company that specializes in delivering medical supplies to home
patients. “If you’re sitting in an executive staff or board meeting, you can’t be a techie.
You’re also not going to gain the necessary support and cooperation, or make your case,
unless the value proposition impacts the business.”
These days, your security know-how is a given. What it really takes to move up the
corporate ladder is the ability to translate security technology into business need—
whether that means adequately defining risk or helping pass an audit.
These are the key findings from Information Security’s exclusive research into what
it takes to land (and succeed at) a security manager’s job. We surveyed nearly 100
C-suite executives and upper-level corporate managers to get a sense of what they want
out of their organization’s top security pros.
CONTINUED ON P. 34
30 INFORMATION SECURITY July 2006
Photograph by CHRIS LAKE
have to step
—RUTH HARENCHAR, CIO, Hobart West Group
All IN A Day’s
BY BILL BRENNERDiary compiled by Bill Brenner
Photographs by Corey Strader
Between 4:00 to 4:45 a.m.:
Wakes up and gets ready for work.
Catches the ferry to Manhattan.
5:30 a.m.: Leaves his New Jersey
home and begins his morning
6:30 a.m.: Arrives in his New York
City office. Checks e-mail, reviews
expense reports and tackles other
administrative tasks for the first
30 minutes of the day.
For Anish Bhimani, Tuesdays are his busiest days, and he tries to work from home on Fridays whenever possible.
1:00 to 2:30 p.m.: Participates in a
privacy committee meeting.
3:30 to 5:00 p.m.: Leads a monthly
review on security initiatives.
2:30 to 3:30 p.m.: Attends a
meeting to discuss the response
to a regulatory exam.
5:00 to 5:15 p.m.: Reads his
e-mail; answers staff and
calls from the operations group when necessary. It’s a tough job, day in and day out, but the JPMorgan Chase
32 INFORMATION SECURITY July 2006
When you’re a security executive for one of the world’s largest
financial institutions, it’s never a 9-to-5 workday. Here’s a look at
the typical day for ANISH BHIMANI, managing director of IT
risk management for New York-based JPMorgan Chase.
b Skills b
7:00 a.m.: Takes the subway
to another JPMorgan Chase
building in midtown Manhattan.
9:30 a.m.: Attends an IT risk staff
meeting, where budgets are reviewed,
and HR and communication issues
are discussed. The meeting breaks
around 11:30 a.m.
7:30 a.m.: Attends a weekly senior
management metrics meeting, where
production and control issues from
the previous week are discussed with
business CIOs and senior executives.
11:30 a.m. to 1:00 p.m.: Catches
up on e-mail and returns phone
calls. Eats lunch at his desk.
(Lunches often involve one-onone
meetings with staffers.)
But his work week never really ends as he continues to keep up on e-mails throughout the weekend and take
5:15 p.m.: Leaves the office
to catch the ferry. Reviews
documents on the ferry.
9:00 to 10:30 p.m.: Participates in
conference calls with business
associates in Asia and elsewhere.
6:30 to 9:00 p.m.: Arrives home,
spends time with his wife and
10:30 to 11:00 p.m.: Goes to bed.
managing director of IT risk management is up to the challenge.
July 2006 INFORMATION SECURITY 33
CONTINUED FROM P. 30
Bottom line: Working effectively
with the powers that be
is tantamount to nearly every
other skill. More than 85 percent
of C-level executives believes a security officer’s ability
to get upper management to buy into key security projects
and earn their respect is extremely or very important to his
or her career success.
Walk the Walk, Talk the Talk
It all starts with really knowing your business. More than 80
percent of the executives we surveyed believes that understanding
a business’s unique challenges is very important.
“CISOs are people who can be incredibly tech- and
detail-oriented, but they have to step back and look at the
larger picture,” says Ruth Harenchar, CIO for legal services
firm Hobart West Group.
The big picture includes the abilities to balance risk
against business needs and make good judgment calls,
explains Jeff Huegel, CSO of USi, an application service
provider of enterprise and e-business solutions. “If you
want to enter the executive ranks, you need to understand
business strategies, financial bottom lines and decision
making around the businesses’ organizational purposes,”
Security is not cut and dried. The keys to being a successful
security executive are balancing the risks and accurately
communicating and portraying some risks as more
serious than others, says Harenchar.
While security may be your expertise (and comfort
zone), it is important to realize that, when an executive
makes a business decision, it is only one piece of the puzzle.
“Security isn’t the linchpin; it’s just another facet to
understand,” says Peter Gregory, a senior security specialist
with more than 20 years of experience. “Security experts
aren’t the only ones bringing information to the table—
legal, R&D and sales, among others, have their say, too. A
good security professional wants business leaders to make
an informed decision.”
“During my tenure as CISO, I saw bright people that
were much better technically at security than I was,”
explains Ken Tyminski, consultant and former CISO for
a large financial services firm. “But they didn’t always
understand how to evaluate business risks, and often
Executives who say a
is more important
than an MBA
focused on having the best
security technology rather than
addressing the business risk.”
Perceived shortcomings in
security professionals, say our survey respondents, are
seeing things as black or white and squelching projects
outright. As one senior-level executive put it, “You need to
lead the way, not get in the way.”
You have to be business savvy and be able to sit down
with anyone in the company to understand their problem
and their needs, says Huegel. “Most of the time you will
be talking to people who don’t know the fundamentals of
security technology,” he says.
Get Your Hands Dirty
On-the-job training beats any certification or diploma
hands down, according to our research. Ninety percent
of those surveyed believe that practical experience is the
most important characteristic when evaluating candidates
for a security job.
The ability to prove that you have secured networks
against external attacks and internal threats is also one
of the top considerations. “Security people aren’t made
in universities, they are made in the workplace,” says
However, when asked to choose a candidate with a
security certification or an MBA, nearly three-quarters of
the C-level executives surveyed feel that a CISSP certification
is more important. Certifications are a convenient and
useful way to eliminate unqualified applicants, says Gregory.
Adds Hobart West’s Harenchar: “I won’t talk to anyone who
doesn’t have a CISSP. I realize certifications aren’t perfect,
but they are a reasonable indicator.”
No certification under your belt? Executives recommend
that you position your skill set in line with what’s
required to earn one. “If [job candidates] don’t have a certification,
they should explain their job functions and put
in their résumé ‘CISSP-equivalent,’” says Craig Zachmann,
e-information manager for Riverbank Business Center, a
bank based in St. Paul, Minn.
“As an executive recruiter, I look for speaker’s presentations,
publications and industry participation,” says Tracy
Lenzner, CEO of LenznerGroup.
And an MBA? It’s icing on the cake, says USi’s Huegel.
Executives who say compliance
experience is a very important
trait in a security manager
Executives who say personal integrity
is important in a security professional
34 INFORMATION SECURITY July 2006
EXPANDING YOUR ROLODEX
Want to build your (personal) networks?
Developing strong professional relationships often helps you land a new job.
The following organizations are good places to get together with other security pros.
Information Systems Audit and
Control Association (ISACA)
A professional organization for information
governance, control, security and audit
professionals that has more than 50,000
Institute of Electrical and
Electronics Engineers (IEEE)
A professional association with more
than 365,000 members promoting the
engineering process and knowledge about electric and
Security Association (ISSA)
A not-for-profit international organization
of information security professionals and
An association of businesses, academic
institutions, and state and local law enforcement
agencies dedicated to sharing information
and intelligence to prevent attacks
against the U.S. InfraGard chapters are geographically
linked with FBI field office territories.w
These days, another must-have component to any
infosecurity résumé is compliance experience. Eighty-eight
percent of those surveyed think that surviving an audit and
meeting regulatory demands are extremely important or
very important skills to have.
“Security is all about compliance. It’s difficult to find
companies that are not directly or indirectly asked to comply
with some regulation that touches the technology in
their business,” says Gregory. “You need to understand
auditing and put compliance high up on your résumé.”
“It’s a differentiator,” says one security executive at a
large healthcare solutions company. “It takes true grit to
go through a compliance effort. It’s a stressful process.”
While compliance is a sought-after skill, be careful when
you sprinkle your résumé with acronyms and security lingo,
say executives. Filling up on buzzwords can be a red flag.
“You need to ascertain whether candidates have been
reinventing themselves or are really doing something in
security,” says one executive at a healthcare solutions
firm. “If they have the buzzwords in there, there had
better be descriptors to back it up.”
A sure-fire way to poke holes in a résumé is to ask job
candidates to describe the acronyms.
“I tend to pick the most obscure and least popular platform
or acronym to wire in on. If you can’t speak to it
from hands-on experience, don’t put it on your résumé—
you might get called on it. This is where things start falling
apart during an interview,” says Byram Healthcare’s
Do you want to end your job search before it begins?
Brag about your glory days as a black hat. Hiring managers
value a security manager’s personal integrity above all else;
93 percent cite it as extremely important.
“If you were to boast that you’ve been a hacker or
cracker, I would say, ‘Have a nice day,’” says Gregory.
There are other ways to get those skills. Hacking contests
can prove your worth, but if it is unethical, we’re not
interested, says one security executive.
“You’ve got to be discreet, willing to take a stand and
be someone a CIO can really can count on,” says Hobart
She adds, “Security is not for the faint of heart.”w
Kelley Damore is editor-in-chief of Information Security.
Please send your thoughts on this article to feedback@info
Photographs by JUPITER IMAGES
Executives who say understanding
a business’s challenges is a very
important skill for security
Executives who say quantifying risk is
a very important skill for a security
36 INFORMATION SECURITY July 2006
Easy Climb TO THE
ladder? Here are
some skills that
you will need
to enter the
A strategic understanding of business and technology
risk management, with less focus on technical skills;
an understanding of how security supports business,
and of communication skills, negotiation skills,
budgeting, strategic planning, and people and
CISSP; SSCP; ISSMP;
CAP; CISA; CISM; GSEC
A bachelor of science degree in computer science or engineering;
a master’s degree in information assurance; an MBA; a law degree
b Skills b
FactorBY ANNE SAITA
AT A MAJOR SECURITY CONFERENCE A COUPLE OF YEARS AGO, THREE OF THE
nation’s top information security leaders convened to meet the press. All of them were women.
“We looked at each other and said, ‘Well, that’s odd.’ Then we all smiled because, really,
not that long ago we would have been the only ones in a sea of men,” recalls Lisa “LJ” Johnson,
the CISO for Nike, who was one of that notable trio.
As the role of the security executive has grown from that of a pure technologist to a risk
strategist, so have the ranks of women in companies’ infosecurity programs. Now, strong
communication, program and project management skills are highly valued.
“Those kinds of skills lend themselves naturally to women,” explains Joyce Brocaglia, CEO
of information security recruiting firm Alta Associates and founder of the Executive Women’s
Forum on Information Security, Privacy and Risk Management (see “An Executive Decision,”
right). “Women are attuned naturally to juggling a lot of things, and their experiences in
multitasking, communicating and negotiating are all contributing factors to their success.”
Adds Peter Gregory, a senior security strategist: “Women are very valuable; they think
differently. Talented women can and will stir things up in a good way. Men want to fix it quick,
women want to understand. Women improve a professional working team for a number of
reasons; they see problems differently and they bring a good perspective to the table.”
Johnson, who earned a degree in forestry and began her IT career through a temp job,
agrees that a shift in attitude toward information security as a business enabler, rather than
productivity blocker, has turned the roles of CSO and CISO into those of a problem-solver
with a firm grasp on risk management. That requires learning the language of business and
getting a firm understanding of how enterprises operate.
“It’s much more of a complex challenge, and it requires relationships and taking time to
understand a business before you can be understood,” she says. “Maybe that is what’s drawing
more women into the business.”
Rebecca Norlander, who came to Microsoft as an Office application developer and now
is general manager of its Security Technology Unit, believes that the ability to view issues
from myriad angles serves a useful tool in developing operational, tactical and strategic
goals. “I think women have a higher tendency to look at computers as tools in their daily
life that solve a larger problem and need to be treated with care, whereas a lot of men see [security]
as a technical challenge.”
As such, Norlander says, women are “uniquely positioned to paint a picture of what you’re
actually trying to accomplish, and then translate it into nitty-gritty technical details in the
solutions. Most men do the opposite.”
But some, like Suzanne Hall, AARP’s director of IT operations, says the workplace still
has a ways to go. “Security has a seat at the table and is reporting to the highest levels,” Hall
says. “As a woman, the impact is the same as it was for many women who first found them-
38 INFORMATION SECURITY July 2006
selves at the executive table: Look around,
and you are often the only woman.”
Hall, an accountant by education who
not only runs AARP’s security division but
heads all of its IT operations, finds that
female business leaders are more plentiful in
other areas, such as marketing and human
resources, than in information security. “I
found most women that started out when I
did over time have chosen to stay home or
take on a profession that doesn’t require
them to be out of the home as much as
IT can,” she says. “It’s still not the most
hospitable climate for women in general.”
That’s one reason global companies such
as Microsoft are investing millions of dollars
into college scholarships, computer research
labs and recruitment of minorities and
women. It also hosts internal regional conferences
on work/life issues for its female
sales force to help them to better handle
schedules, child care and task-sharing in the
home and at work. Not that men don’t have
similar struggles once they become fathers,
An Executive Decision
At the first Executive Women’s Forum on Information Security,
Privacy and Risk Management in 2003, women executives raised a
glass, so to speak, to shattering glass ceilings.
The brainchild of Joyce Brocaglia, who is the CEO of information
security recruiter Alta Associates, the EWF has since expanded its
ranks and its influence by providing numerous, year-round networking
Yet the conference remains true to its original mission to provide
a unique opportunity for women to share advice and experiences
that ultimately benefit not just their gender but the industry
as a whole.
“With the EWF, women are aware of how other women succeed
in gaining influence, building consensus, getting their point of views
conveyed, and getting their voice heard both inside their own companies
and externally,” Brocaglia explains.w
but the workplace bias is still there, and these companies are working to fix that.
Adrienne L. Hall, senior director of Microsoft’s Trustworthy Computing initiative,
remembers being told by a customer that it was useless for them to build a work relationship
because she’d soon have children and leave. The customer later apologized for his
remark. “I think there’s always a tension around the time people spend at the office and at
home, and women have that aspect to consider in terms of when they would take a promotion
or when they would have a child,” she says. “There’s a need for increasing awareness
and sharing best practices for it.”
That’s one reason that, five years ago, Brocaglia founded the Executive Women’s Forum
(EWF), which meets annually to build alliances and advance careers.
“We help to make women aware of how other women succeed in gaining influence and
consensus and getting their point of views conveyed,” Brocaglia explains. New to this year’s
conference in September will be the announcement that an EWF fellow will receive a full
two-year scholarship to the Carnegie Mellon Information Networking Institute (INI) for her
master of science degree in information security technology and management. In addition,
the recipient will be mentored by an EWF participant. It’s another step in strengthening
female bonds and fostering cooperation, rather than competition.
“The biggest change I’ve seen in the 20 years I’ve been recruiting…is the huge change in
attitude of women from the old days of ‘I got here the hard way and you have to pay your
dues, too,’ to a complete turnaround, where women are incredibly gracious and willing to
help other women to succeed,” Brocaglia says.
“The women who attend the forum have this determination to share and help each other,
be open and honest, and really go out of their way to make other women successful.
And that’s a huge advancement,” she says.w
Anne Saita is the former senior director of news and events for the Security Media Group at
TechTarget, the parent company of Information Security. Please send your comments to
July 2006 INFORMATION SECURITY 39
As a leader you need to see the
big picture and how security
affects business. “See issues
through the eyes of others,”
STICK YOUR NECK OUT
Learn when and when not to take
risks. “Be a problem solver and
facilitator of solutions that
meet the organization’s
objectives,” says Jones.
Even when the times are rough
and the threats are significant,
stay the course with the
appropriate amount of urgency
USE YOUR HEAD
Try to be pragmatic and a little
paranoid at the same time. Think
logically and you’ll always be one
step ahead of the attackers.
Articulation is an undervalued
trait. In your own office, clearly
enunciate your directives and
your staff will follow through.
Head to toe, what traits would
you build into the perfect CISO?
Here’s our top picks.
TAKE A SEAT
Being able to sit down in
the boardroom and translate
technology imperatives into
business sense will help
outline the cost benefits of
security to the higher-ups.
GO WITH YOUR GUT
Take advice, but in the end
make the decisions yours.
“Be an educator—always
look to advance other peoples’
understanding of issues,”
Have the courage of your
convictions. If you do, your
staff will follow you even
if your decision is not
the most popular choice.
sSo, who is the perfect CISO? The case could
be made for Jack Jones, former CISO of
Nationwide Insurance (pictured right), who was
awarded the Excellence in the Field of Security
Practices trophy at the RSA Conference 2006 in
Jones led nearly 100 infosecurity professionals
through various aspects of risk management while
at the Fortune 100 company, and succeeded
in creating a security policy modeled after
Jones has been able to bring his strengths
to his new role. “Actually, one of the reasons
I chose to move on was so that I could apply
the lessons I’d learned and the skills I developed
at Nationwide to a new environment.”
Jones stays humble about his excellence
award and the accolades that come with it. But,
who does he feel is the perfect CISO? “Not me.
That person would need to be a superlative
communicator—in all media, with all audiences
at all levels inside and outside their organization.”
Wise words from a true infosecurity winner.w
Compiled from interviews conducted by Anne Saita, Michael S. Mimoso, Marcia Savage
and Kelley Damore, with input from Debby Fry Wilson, Adrienne L. Hall, Rebecca
Norlander, Lisa “LJ” Johnson, Suzanne Hall and James Christiansen.
GET A LEG UP
Get your security objectives
the attention they deserve.
“Have the courage to take
unpopular positions, but be
open-minded and willing to
change,” says Jones.
Photograph by LARRY HAMILL
b Skills b
July 2006 INFORMATION SECURITY 41
LEE J. KUSHNER is founder
and CEO of LJ Kushner
and Associates, a full-service
information security recruitment
firm. Please send
comments on this article
No two CISOs
HAVING RECRUITED INFORMATION SECURITY PROFESSIONALS
for the past 10 years, I am asked one question more frequently than
any other: “How do you become a chief information security officer?”
Unfortunately, it’s the most difficult question to answer.
If you asked 100 CISOs how they landed their jobs, you would probably
find 100 different paths to the top. A few common traits might
emerge—for instance, few CISOs have come into their roles by exclusively
working in information security. Most have backgrounds in general
information technology, physical security, finance, legal, marketing and
even human resources.
While many security pros have been practicing information security
for a long time, we tend to forget that the industry has only developed
over the past 10 years—a relatively short time compared to other corporate
disciplines like finance and sales. In each of these other professions,
the career map is set; virtually all CFOs and vice presidents of
sales have met certain career prerequisites. In our industry, we have not had the time to develop
these requirements. Corporations view information security in many different ways; therefore
their leadership requirements vary according to specific needs.
In my experience, I have collected some of the requirements that are associated with all senior
information security positions:
Vision: When a company is looking for an information security leader, often it will be for
the first time: Management wants someone who can lay out the corporate blueprint for all its
future security plans. Having a clear plan on the role the information security team should play
as it relates to the core business practices of the company is key. In most cases, companies will
search for someone who has successfully implemented a vision at another company, or who has
witnessed the successful implementation of a security program in a company within the same
Range of information security knowledge: It may sound obvious,
but companies look to their information security leader for the answers to all of their information
security-related problems. Regardless of whether the issues are technical, personnel, procedural
or regulatory, the CISO is expected to address all of these angles. Businesses want people
who have developed an excellent foundation within the information security industry and who
have illustrated the ability to solve information security-related problems. In addition, when
organizations are hiring a CISO, they are traditionally searching for someone who can address
the current issues facing the organization and see future ones before they cause problems.
Communication: Communication is not only the hardest skill to measure, but also the
most critical to have. CISOs serve many different constituencies within an organization, and they
42 INFORMATION SECURITY July 2006
BY LEE KUSHNER
b Savvy b
are asked to communicate at different levels and to people with different degrees of technical skill;
they have to effectively express ideas up and down the management chain. Successful CISOs are
those who’ve earned the respect of the people leading the technical functions and can translate the
advantages of security controls to business unit leaders.
During the interview process, it is common for a potential CISO to be interviewed by a number
of people representing different functions within the organization. In these meetings, it is
essential that the candidate develop a consensus and establish a good feeling of collaboration. If
this interaction is successful, it will serve as a solid predictor of the CISO’s ability to understand
the complex needs of all constituents.
Execution and leadership: When talking about vision, being able to develop an
effective information security plan is only half the battle. CISOs are expected to map out their plan
and then execute against it; they are required to understand how to prepare a budget, build an
effective staff, make technology selections, report to executive management and solve problems.
Companies expect their leaders to lead. An effective CISO will understand how to get the most
out of his dedicated and shared resources. The company will look for the CISO to forge partnerships
with peers from other business units, and inspire them to accept—and hopefully embrace—
information security. Ideally, the CISO conveys the sense that he is enabling business functions,
not restricting them.
Passion: This is another seemingly obvious point, but it is the great differentiator. As a
newer discipline, information security isn’t always accepted by its peers within the corporate
infrastructure. Having a passionate leader often helps alleviate this problem. It’s been said many
times: Information security is a profession where no one recognizes when you are doing your
job well, but everyone notices when you are not.
The CISO carries the biggest bull’s-eye, and failure can lead to extreme public embarrassment
for both himself and the organization as a whole.
CISOs who can convey passion and conviction on a daily basis are effective in developing the
long-term respect necessary to implement their strategies throughout the company. It is this
cross-functional support that will often lead to a more security-conscious organization. These
organizations are traditionally the ones that stay out of the headlines.
When we ask information security professionals to list their career goals, becoming a CISO
is always high on the list. With the awareness that our industry has received and with increased
support from executive management, more information security leadership positions will be
And, the number of qualified information security professionals is growing, and competition
for these highly sought-after positions will continue to increase. It’s more important than ever
for CISO candidates to develop the skills listed above—and others—in order to ultimately land
and succeed at the job.w
Assess your professional skills.
To take our quiz, go to
July 2006 INFORMATION SECURITY 43
Your heart is pounding as the interviewer pelts you with questions
and hypothetical conundrums. We asked security pros what was
the best and toughest interview question they’ve ever answered.
Read on to prepare yourself before your next big interview.
What accomplishments are you most proud of,
both in business and personally, and why?
Suzanne Hall, director of IT operations for AARP, suggests that all interviewees be ready.
“Sometimes people just aren’t prepared when you ask this question, which surprises me,” she says.
How well do you think you’ll fit in with this company?
James Christiansen, CISO of Experian, warns not to let a question of culture knock you sideways.
He says that the toughest question is one where “the answer to the question is directly related to
the culture of the company, which you don’t yet know.”
Please give an example of a project that
did not go as well as expected.
Says LJ Johnson, CISO of Nike, “People think it’s a trick question when they’re asked about failures,
but what you want to know is what they learned from the experience.”
Will you be willing to travel?
“Who wants to be away from the family?” says Don Ainslie, global security officer for Deloitte & Touche.
“[Travel] is a balancing act I struggle with.” Know the answer before you go in to help make the
Why do you want to work for this company?
Rebecca Norlander, general manager of Microsoft’s Security Technology Unit, recalls the epiphany she
had when asked this question: “I realized that, actually, I didn’t…. Start by being true to yourself.
Don’t compromise your own moral compass—you have to live with yourself your whole life.”
Why are you the best person for the job?
“There are many qualified and great people that come to the table for roles in security and business at
large,” says Adrienne L. Hall, senior director of Microsoft’s Trustworthy Computing. “You need to be clear
on what you bring to the position that no one else does.”
How can you help this organization?
Debby Fry Wilson, director of security engineering and communications for Microsoft’s Security
Technology Unit, suggests that you do your homework. “A candidate who is well prepared and
genuinely seems to understand the challenges of my organization and can articulate how he or
she will help advance our strategy is ideal.”w
—COMPILED BY AMBER PLANTE FROM INTERVIEWS BY
MICHAEL S. MIMOSO, MARCIA SAVAGE & ANNE SAITA
44 INFORMATION SECURITY July 2006
Résumé Do’s and Don’ts
We all know an employer looks at a résumé for 30 seconds.
Here are some surefire tips for standing out in the stack. BY LEE KUSHNER
Write an appropriate objective statement (or omit it all together).
Most employers will not read on if the objective does not match the position that they
are hiring for. For example, if a candidate were applying for a manager of network security
position at a financial services company, an effective objective statement would look
like this: “Objective: To find a leadership position that enables me to utilize my five years
of experience as a lead network security engineer and technical project manager at a global investment bank.”
Objective statements, however, are not a necessity. If a company has multiple positions that interest you, don’t paint
yourself into a corner.
Focus on the position you’re applying for.
The résumé should be geared toward the requirements of the specific position. (It’s OK to have different résumés
for different positions, but be careful about just changing the objective statement—it sometimes leads to a disjointed
For example, if the candidate were looking for a position within an industry outside of banking, he would most
likely omit the specific items geared exclusively towards financial services firms. In that case, the résumé should speak
to his accomplishments in network security and project management, with industry independence.
Explain short stays of employment.
Short durations of employment are the predominant reason qualified people aren’t considered for an opening. If you’ve
changed positions frequently, you need to explain the reasons for leaving in one line at the end of the description. Some
explanations read: “The position was eliminated,” “Recruited by my previous manager,” or “Offered a promotion.”
Employers react in different ways—candor is the best approach.
Watch the length.
A résumé reflects both your experience and your ability to communicate. It should provide a road map for tracking your
career and include all of your major accomplishments and responsibilities. Omit anything irrelevant to the current stage
of your career.
For example, a person less than five years into their career would want to list a student job at the university computer
lab. To someone with 25 years of experience, this type of a position would be inconsequential.
Here are some guidelines: The résumé should consist of two parts, a summary of career accomplishments (ranging
from one to three pages) and a listing of technical skills, certifications, education and related activities (a half page to
one page long). For every five years of work experience, you can add another page. The maximum number of pages you
should have is four. As you progress in your career, eliminate specific accomplishments from the end of the résumé and
replace them with new achievements.
Avoid being redundant.
Redundancy is the main culprit in making a résumé longer than it needs to be.
Listing the same bullet points under each of your last positions gives the appearance that you have not challenged
yourself. Be sure to accentuate your most current accomplishments in any position. Reinforce your skills, but avoid
overkill. Always point out promotions you have earned, and technical and non-technical skills that you have developed.
For example, if you authored an information security policy at your last three companies, list the accomplishment.
However, as you advance in your career, this skill should become a smaller component of your overall job function.
46 INFORMATION SECURITY July 2006
Many people like to embellish their roles and importance in their current and past positions because they believe that
it will enhance their chances of being considered for a position. Aside from possibly being dishonest, this is often
counterproductive: Hiring managers do not want to give a job to someone who’d be bored with it and quickly leave the
Downplay technical skills.
It is common for candidates to put together a résumé that de-emphasizes their technical background to appear more
business-focused and managerial. Information security professionals should embrace their technical roots; this is often
a differentiating factor when employers make their choices. Include a list of your technical and information security
skills as the last page of your résumé.
For the record, I have never been told that one of our candidates would not be offered a position because his technical
skills were too strong.
Go crazy with buzzwords.
Be careful how you choose to illustrate your strengths, especially when they relate to different technologies, solutions
concepts and regulatory standards. As a rule, do not list anything that you cannot back up with a level of work experience
or that you would not be able to have an informed discussion on with someone who has expertise in the area. Chances
are that person will eventually interview you.
Appear to be an expert in everything.
One of the best things about information security is that it comprises so many sub-segments that it has created different
areas of subject matter expertise. Be careful about claiming to be an “expert” on more than one topic—it may cause
some doubts about your level of proficiency. Also, when you claim to be an expert, interviewers will often choose to
challenge you during an interview to validate your claim.
Overemphasize extracurricular industry activities.
Being selected to write or invited speak about particular industry topics can make you stand out from the pack.
Mention the speeches you delivered at various conferences, or the books you contributed to, during the interview itself;
on your résumé, be selective in what you include.
Employers want their employees focused on their position, not on external interests. Make sure a potential employer
views these activities as an enhancement to your job, not as a competition.w
For a sample of a well-crafted
July 2006 INFORMATION SECURITY 47
WE’VE ALL GOT TO START
We asked some security pros to share their first jobs,
proving that even the biggest of fish was little once.
“It was the height of disco when I graduated high school. I went to work for my dad’s
construction company that summer as a common laborer. That September, I joined
the U.S. Navy with advanced training in electronics, specializing in ship-borne radar.”
–TOM BOWERS, Information Security technical editor
“My first real job was delivering the daily Sacramento Bee when the only early morning paper was
on Sunday. I learned a lot about compromise, marketing (soliciting people to take the paper) and
setting priorities to business first, play time later.”
–KEVIN D. DICKEY, deputy CIO and CISO, Contra Costa County
“My first job was at an ice cream shop. I was hired as a ‘trainee,’ which allowed them
to pay me below minimum wage until I reached ‘sales staff’ status.”
–DESIREE A. BECK, technical lead, CME initiative, Mitre
“I was 14 and waitressing at a coffee shop. I watched people in business suits and wondered what kind
of exciting lives they had, and why they never tipped more than a dime.”
–TERRI CURRAN, director, corporate information security services, Bose
“My first job was helping test the efficiency of compressors used in air conditioners
and heat pumps. Although not related to infosecurity, this was a complex system of
measuring devices, data collectors and computers to run the tests and view reports.”
–RON GULA, CEO and CTO, Tenable Network Security
b Savvy b
Choosing to join the U.S. Nuclear Regulatory
Commission (NRC) is a conscious decision to
contribute to our world at large. And, a conscious decision to work
for a Federal Government agency recognized for its excellence as
And, the NRC was recently recognized as one of the “Top 10 Best
Places to Work in the Federal Government” in 2005, according to the
Partnership for Public Service and American University’s Institute for the
Study of Public Policy Implementation.
We are currently seeking an IT Specialist (INFOSEC) to support efforts in
our Rockville, Maryland headquarters facility.
In this role, you will serve as an expert and consultant for assessing
information technology security and for developing policies, standards,
and guidelines related to the agency IT security program. You will also
assist the supervisor with responsibilities including planning and
executing all aspects of IT security oversight, organization/system
investment planning, financial management with multiple funding
sources, and contract administration; and recommend or determine
scope and extent of programs to be undertaken, organizational
arrangements, and resource allocation, etc., considering Commission
policy, priorities, workload, and urgent program requirements.
T Specialist (INFOSEC)
Applicants must possess a broad knowledge of IT policy, and its
implementation, and a demonstrated knowledge of IT security
oversight. Demonstrated experience applying Federal Information
Technology (IT) security requirements, guidelines, and cyber-security
methods to major IT programs and systems is key, as is knowledge,
understanding, and ability to apply Federal computer security standards,
guidelines, and methods to major IT programs and systems. Extensive
experience in the development or review of IT security policies and
procedures, IT system certification and accreditation, IT security
reporting, and IT security issue resolution is essential, as is thorough
knowledge and practical experience in the development of major IT
systems using Federal IT security guidelines and standards as part of
the System Development Life Cycle Methodology. Salary range for this
position is $107,521 - $139,774.
How to Apply
For a detailed job description and to apply on-line, please visit our Web
site at: www.nrc.gov/who-we-are/employment.html and refer to
Vacancy Announcement #OIS-2006-0015. To enter your resume into
the system, simply prepare it using WordPerfect, Word, or another
commonly used program, then copy and paste your resume into
NRCareers. Only on-line applications will be accepted through 7/28/06.
An Equal Opportunity Employer. U.S. Citizenship Required.
July 2006 INFORMATION SECURITY 49
Office Politics BY
tThere’s a fine line between success and failure, and sometimes the difference has
nothing to do with the merit of the project or how it’s presented. How many times
have you been in a situation where politics or personalities sidelined a decision?
Unfortunately, it happens a lot. Information security policies and procedures are
developed with the best of intentions, but often fail because they were created
without accounting for the dynamics of the organization for which they were built.
Success (as we’ve heard others say) has a lot to do with group dynamics,
motivation and leadership. Whether they realize it or not, the best infosecurity
professionals are situationally aware and attuned to what is happening to them
and their environment.
The MIT Sloan School of Management has developed a way to assess situations
around you. Called “Three Lenses,” it encourages managers to look at organizational
processes from different perspectives to understand how to excel.
• The strategic lens sees the organization as a machine that’s designed to
achieve business goals by completing required tasks. This perspective requires you to pay attention
to the organization’s reporting hierarchy, as well as informal teams and task force groups. What
rewards and incentives are used to encourage employees to achieve business goals? Here, organizations
flourish through methodical planning.
• The political lens is about power. It sees the organization from a Machiavellian point of
view and acknowledges diverse stakeholders who struggle for power and may have conflicting
interests. The organization’s progress depends on interest groups that compete for resources and
attention from top management. To succeed, you need to understand who has the power in the
organization and how employees can use that power to achieve their individual goals.
• The cultural lens examines the meaning that employees assign to situations. We all rely on
informal routines and traditions to guide decision-making; pay attention to cultural elements
such as the rituals and symbols that employees use. For instance, quarterly all-hands-on-deck
meetings are important at some businesses; others might encourage after-work socializing. Such
norms—or habits—are easy to take for granted, but they strongly affect behavior.
Which of the three lenses is right for your business? All of them. Unfortunately, as information
security professionals, we tend to approach security from a purely technological perspective,
without accounting for the “softer” side of organizations. Looking through three lenses into your
environment will change that.
Will this approach work? Well, consider a security management program that is not tied to the
organization’s strategic needs. If treated as a goal in itself, the program will become irrelevant.
Similarly, a security architecture that lacks support from influential individuals, regardless of
formal titles, will be unlikely to gain widespread adoption. A manager who devises policies that
conflict with the organization’s culture, perhaps by being too constraining or overly permissive,
will get stuck fighting a losing battle.
Try using these three lenses when you approach your next security project. They will help you
understand which measures are likely to work, which might fail, and who needs to be involved in
the development of the program in your organization.
When the security program succeeds, so will you.w
Lenny Zeltser is the information security practice leader at Gemini Systems, a New York-based
IT consulting firm, and an instructor at The SANS Institute. Please send your comments on this
column to email@example.com
Photograph by JUPITER IMAGES
50 INFORMATION SECURITY July 2006
Buy the Book
Buy the Book
These are our picks for the 10 must-have security titles you should always keep handy.
BY DAVID BIANCO & PATRICK MUELLER
Firewalls and Internet Security: Repelling the Wily Hacker, Second Edition
By William R. Cheswick, Steven M. Bellovin, Aviel D. Rubin
Addison-Wesley Professional, www.aw.com, 455 pages, $36.95
This perimeter security text is perfect for serious security
professionals. The authors have mastered the art of applying
the theoretical to actual working applications; the result is
pragmatic advice from some of the finest minds in the field.
Hacking Exposed, Fifth Edition
By Stuart McClure, Joel Scambray, George Kurtz
McGraw-Hill, www.mcgraw-hill.com, 692 pages, $49.99
The original edition ushered in a new era of computer security
publishing, offering unabashed, technically detailed and fully
documented instructions on how to subvert the security of
a multitude of systems. Although some scoff at the series,
perhaps they just hate to see some of their secrets published.
By Bruce Schneier
Wiley, www.wiley.com, 784 pages, $54.99
Any book that the National Security Agency prefers to remain
unpublished is bound to make great reading. Anyone doing
serious work with cryptography needs a copy. With a
comprehensive and excellent explanation of encryption
of all kinds, this book is second to none.
By Bruce Schneier, Niels Ferguson
Wiley, www.wiley.com, 432 pages, $50
Schneier’s sequel to Applied
Cryptography will help you apply
your newfound cryptographic skills
successfully and securely. Think of
them as volumes one and two of
the same book.
Practical Unix & Internet Security
By Simson Garfinkel, Gene Spafford,
986 pages, $54.95
The authors deliver an excellent
introduction to a wide variety
of computer and network
security issues within UNIX.
By Ross Anderson
Wiley, www.wiley.com, 595 pages, $70
This book details security
design and implementation
strategies employed in real-world systems. Although many
publishers employ strategies attempting to inflate the page
count (and price) of a book, this 600-page masterpiece could
only result from the dedication of an extremely knowledgeable
veteran of the field.
The Tao of Network Security Monitoring
By Richard Bejtlich
Addison-Wesley Professional, www.aw.com, 832 pages, $54.99
“Tao” means “The Way,” and that’s what this book is: the way
to evolve IDS operations. The network security monitoring
philosophy is both obvious and completely revolutionary.
The Art of Computer Virus Research and Defense
By Peter Szor
Addison-Wesley Professional, www.aw.com, 744 pages, $49.99
Szor’s mastery of virus/antivirus technology is unparalleled,
and this comprehensive tome is the definitive work on the
subject. Although parts are inaccessible to all but experienced
assembly language programmers, antivirus is such a critical
technology that every professional should read this book,
if only to understand the problem.
A Guide to Forensic Testimony
By Fred Chris Smith, Rebecca Gurley Bace
www.aw.com, 560 pages, $54.99
As security pros, we stand a
chance of being called
into court to testify
about the results of our
investigations. The authors
do a good job of explaining
the challenges associated with
information security cases and
how to give the best testimony
By Brian McWilliams
256 pages, $22.95
account of real-life spammers
and spam fighters is a mustread
for anyone trying to
squelch junk e-mail. There’s
a freak show in here, but also a lot
of good intelligence on the inner
workings of the spam kings.w
Photograph by MICHELLE JOYCE
52 INFORMATION SECURITY July 2006