Not for Fainthearted Executives: Keeping the Hackers at Bay

By NICOLE PERLROTH / New York Times News Service

SAN FRANCISCO - Pity the poor chief information security officer.

The profession barely existed a generation ago. But to combat the growing threat of online breaches, companies and governments are hiring executives whose main responsibility is to make sure data systems are secure. When things go wrong - and they often do - these executives expect to bear the blame.

“We’re like sheep waiting to be slaughtered,” said David Jordan, the chief information security officer for Arlington County in Virginia. “We all know what our fate is when there’s a significant breach. This job is not for the fainthearted.”

Chief information security officers have one of the toughest jobs in the business world: They must stay one step ahead of criminal masterminds in Moscow and military hackers in Shanghai, check off a growing list of compliance boxes and keep close tabs on leaky vendors and reckless employees who upload sensitive data to Dropbox accounts and unlocked iPhones.

They must be skilled in crisis management and communications, and expert in the most sophisticated technology, though they have come to learn the hard way that even the shiniest new security mousetraps are not foolproof.

And they face a drumbeat of news about breaches - like the arrest of a Russian this month on charges of hacking U.S. retailers - that constantly reminds them of the stakes.

“We have to be correct 100 percent of the time,” said Tom Kellermann, the chief information security officer at Trend Micro, a security firm. Cybercriminals, he said, “must be correct once.”

A decade ago, few organizations had a dedicated chief information security officer, or CISO (pronounced SEE-so), as they are known. Now, more than half of corporations with 1,000 or more employees have a full- or part-time executive in the post, according to a study conducted last year by the Ponemon Institute, a research firm.

Companies like VeriFone, the electronic payments systems provider; Brown-Forman, the beverage company; the Universities of North Carolina and Chicago; and younger upstarts like Fitbit, are all looking for dedicated security officers. Neiman Marcus, which suffered a major breach last year, is seeking its first one.

The job has become so critical, recruiters say, that companies try to sweeten the deal. According to the study, they are dangling signing bonuses and salaries that range from $188,000 to $1.2 million, offering perks like the ability to work from home and generous time off, and promising larger budgets to buy more protection for porous systems.

Still, it is seen as a thankless job. Many of the chief information security officers who took part in the Ponemon study rated their position as the most difficult in the organization. Most of those questioned said their job was a bad one, or the worst job they have ever had.

When Target was breached last year, it did not have a fully dedicated chief information security officer; it hired its first one in June. Beth Jacobs, who oversaw Target’s data protection, among other duties, was forced to resign. Gregg Steinhafel, the chief executive and board chairman, also lost his job.

Stephen Fletcher, who supervised data security for the state of Utah, resigned after a breach two years ago revealed the personal data of 780,000 Medicaid recipients. In January, Justin Somaini, Yahoo’s chief information security officer, left his post shortly before the company acknowledged a breach of some customers’ newly revamped email accounts.

The job is so pressured that many end up leaving - voluntarily or not - after two years, according to the Ponemon study. This compared with chief executives, who stick around for 10 years on average, according to other research.

Of all the headaches that chief information security officers face, one of the biggest is figuring out which security products to trust.

“In the old days, there was a saying, ‘Nobody ever got fired for buying IBM,’ because you could trust IBM,” said Andrew Caspersen, a former chief information security officer at Charles Schwab. “But security firms have never been able to establish that level of credibility.”

What is more, while many information security officers agree that antivirus software, a traditional form of protection, fails to defend against modern-day threats, some say newer products are not much better. They also complain that it has become nearly impossible to evaluate products in the face of breathless marketing and fear.

A report in March by NSS Labs, an independent research group, highlighted the problem. In comparing breach detection products, NSS Labs found that products sold by FireEye, Wall Street’s one-time security darling, did not perform as well as Cisco’s Sourcefire, Trend Micro and cheaper offerings from General Dynamics’ Fidelis and Fortinet.

The report immediately kicked off a dispute after FireEye called the methodology “severely flawed,” an assertion that NSS Labs challenged. And it sent FireEye’s stock, which had tripled since its debut on the public market, into free fall.

But security officers say the test did not tell them anything they did not already know. They say there is no silver bullet when it comes to breach defense. It is a matter of layering the most effective technologies, hiring the best people, then hoping for good luck.

Candidates for a job as an information security officer are careful to have the difficult conversations upfront, recruiters say. Before accepting an offer, some applicants want to be sure the board agrees that breaches are inevitable, and that they need to allocate a high enough percentage of the budget for information technology to security.

“If you know you’re going to be sacrificed, you want a sufficient reason to take the job,” said John Kindervag, a security analyst at the market research firm Forrester. “People aren’t talking about what we’re doing to these poor people. We’re putting all this complexity on their shoulders and then it’s just ‘Good luck!’”

To cope with such angst, many chief information security officers say they rely on humor. One joke - recounted to this reporter three times in one week - is the tale of the new security officer who meets his predecessor.

The predecessor hands him three numbered envelopes and tells him to open them in an emergency. After a breach, the new security officer opens the first envelope. The message reads, “Blame your predecessor.” After a second breach, he opens the second, which suggests, “Blame your staff.” After a third breach, the security officer opens the third envelope.

The message reads, “Prepare three envelopes.”