It's a tough job keeping hackers out of your business
A decade ago, few organizations had a dedicated chief information security officer. Now, more than half of corporations with 1,000 or more employees have an executive in the post, and they say it’s one of the toughest jobs there is.
The New York Times
SAN FRANCISCO — Pity the poor chief information security officer.
The profession barely existed a generation ago. But to combat the growing threat of online breaches, companies and governments are hiring executives whose main responsibility is to make sure data systems are secure. When things go wrong — and they often do — these executives expect to bear the blame.
“We’re like sheep waiting to be slaughtered,” said David Jordan, the chief information security officer for Arlington County in Virginia. “We all know what our fate is when there’s a significant breach. This job is not for the fainthearted.”
Chief information security officers have one of the toughest jobs in the business world: They must stay one step ahead of criminal masterminds in Moscow and military hackers in Shanghai, check off a growing list of compliance boxes and keep close tabs on leaky vendors and reckless employees who upload sensitive data to Dropbox accounts and unlocked iPhones.
They must be skilled in crisis management and communications, and expert in the most sophisticated technology, though they have come to learn the hard way that even the shiniest new security mousetraps are not foolproof.
And they face a drumbeat of news about breaches — like the arrest of a Russian this month on charges of hacking U.S. retailers — that constantly reminds them of the stakes.
“We have to be correct 100 percent of the time,” said Tom Kellermann, the chief information security officer at Trend Micro, a security firm. Cybercriminals, he said, “must be correct once.”
A decade ago, few organizations had a dedicated chief information security officer, or CISO (pronounced SEE-so), as they are known. Now, more than half of corporations with 1,000 or more employees have a full- or part-time executive in the post, according to a study conducted last year by the Ponemon Institute, a research firm.
The job has become so critical, recruiters say, that companies try to sweeten the deal. According to the study, they are dangling signing bonuses and salaries that range from $188,000 to $1.2 million, offering perks like the ability to work from home and generous time off, and promising larger budgets to buy more protection for porous systems.
Still, it is seen as a thankless job. Many of the chief information security officers who took part in the Ponemon study rated their position as the most difficult in the organization.
When Target was breached last year, it did not have a fully dedicated chief information security officer; it hired its first one in June. Beth Jacobs, who oversaw Target’s data protection, among other duties, was forced to resign. Gregg Steinhafel, the chief executive and board chairman, also lost his job.
Stephen Fletcher, who supervised data security for the state of Utah, resigned after a breach two years ago revealed the personal data of 780,000 Medicaid recipients. In January, Justin Somaini, Yahoo’s chief information security officer, left his post shortly before the company acknowledged a breach of some customers’ newly revamped email accounts.
The job is so pressured that many end up leaving — voluntarily or not — after two years, according to the Ponemon study.
Of all the headaches that chief information security officers face, one of the biggest is figuring out which security products to trust.
“In the old days, there was a saying, ‘Nobody ever got fired for buying IBM,’ because you could trust IBM,” said Andrew Caspersen, a former chief information security officer at Charles Schwab. “But security firms have never been able to establish that level of credibility.”
What is more, while many information-security officers agree that anti-virus software, a traditional form of protection, fails to defend against modern-day threats, some say newer products are not much better.
They also complain that it has become nearly impossible to evaluate products in the face of breathless marketing and fear.
Before accepting an offer, some applicants want to be sure the board agrees that breaches are inevitable, and that they need to allocate a high enough percentage of the budget for information technology to security.
“If you know you’re going to be sacrificed, you want a sufficient reason to take the job,” said John Kindervag, a security analyst at the market-research firm Forrester. “People aren’t talking about what we’re doing to these poor people. We’re putting all this complexity on their shoulders and then it’s just ‘Good luck!’ ”
To cope with such angst, many chief information security officers say they rely on humor. One joke — recounted to this reporter three times in one week — is the tale of the new security officer who meets his predecessor.
The predecessor hands him three numbered envelopes and tells him to open them in an emergency. After a breach, the new security officer opens the first envelope.
The message reads, “Blame your predecessor.” After a second breach, he opens the second, which suggests, “Blame your staff.” After a third breach, the security officer opens the third envelope.
The message reads, “Prepare three envelopes.”