He couldn’t have known the significance of the call. He would never have guessed.
WhiteHat Inc. had just opened its doors to students arriving for a four-day IT security course. As the company’s chief security officer
(CSO), Tom Slodichak, waited in the training room for class to begin, his pager buzzed as it had so many times before. This time, however, the news would be like nothing he had ever heard. It was about 8:50 a.m. on Tuesday, Sept. 11, 2001.
At about the same time, students’ cell phones and pagers began sounding off as though a cat had walked into an aviary. One by one they all discovered what Slodichak learned only moments before: a plane had crashed into the north tower of the World Trade Center.
What they didn’t know was what was to come.
In a sense, even one year after the terrorist attacks, we still don’t know what’s to come, and the topic of IT security post 9/11 is an uneasy one. (The Canadian Imperial Bank of Commerce, the Royal Bank of Canada and Scotia Bank, for example, either declined to talk or didn’t return calls when approached for this story.) If the hijacking of four planes within the United States can be choreographed, experts wondered, how hard can it be to mount something more dangerous than a denial of service attack?
More and more of the unspoken burden has been taken on by Slodichak and his peers. As CSO he is responsible for both the physical and virtual protection of the Toronto-based security company. This includes outward-facing duties like consulting and identifying new threats, methodologies and technology along with inward-facing duties like developing internal security policies. He says while companies haven’t been rushing out to appoint CSOs, there have been some subtle changes.
“”I don’t see any more of us out there, because we were already there,”” says Slodichak, who’s been involved in IT security since 1995. “”When you move downwards through the list and get into the (non-Fortune 100) companies, maybe you’re not seeing the title but you’re seeing people who have been cast with that role and those responsibilities.””
There is evidence, however, that the number of official CSOs is growing: U.S. trade magazine publisher International Data Group recently launched a magazine called CSO, for example, and at least one U.S. training firm is offering courses for individuals in the role.
Given the breadth of responsibilities and no established blueprint for where a CSO fits in, the corporate hierarchy is a bit unclear, some say.
“”I think what’s happened is a lot of people have had to go out and buy a new hat, which is a CSO hat, and there’s no real formal framework under which a company can mold that role because it’s an evolving role,”” says Robert Half Technology analyst Stephen Mill.
Line Lafrance wears that hat for Avalon Works Corp. Like Slodichak, she is responsible for physical and virtual security for the Ottawa-based security company. Appointed to the new post in June, she says she has found herself dealing with both the technical and non-technical aspects of the company.
“”As CSO, you sort of fit in everywhere. As far as the CIO is concerned, he’s going to get direction from me on how to adequately protect the information that we hold, either our information or client information. From the CTO’s perspective, he’s going to refer to me to ensure that the technology he chooses is in line with the security standards we wish to maintain.”” Once those issues have been dealt with it’s off to HR to do security checks, she adds.
Despite the multifaceted nature of her job, Lafrance says she views her primary responsibility as protecting the company’s information and that of its clients (mostly governmental agencies). She says while almost everyone has been trying to improve security, there is still a gap between the private and public sector.
“”The government’s risk tolerance is very low compared to the private sector,”” Lafrance reasons. “”The private sector sometimes is very scary. I guess it’s because they don’t have much of a budget, so they take more risks.””
According to the Cutter Consortium‘s Mark Seiden, it could be worse.
“”Canada in general is not only better off than the United States typically, but more hip than the United States about many aspects of information security. I think that had to do with the U.S.’s regressive policies toward encryption,”” says the senior analyst for the Arlington, Mass.-based company.
While government networks are relatively secure, Slodichak says the feds could be doing more to spur change and encourage tighter security. He cites Richard Clarke’s appointment as cyberspace security adviser to the White House and technological town crier role as an example. The Bush administration seems to be listening: Its proposed budget for fiscal 2003 calls for US$4.2 billion to be spent securing federal networks, a 56 per cent increase over fiscal 2002. Software vendors looking to cash in had better look a closer look at their products.
“”Manufacturers that don’t have certified software simply won’t dip in to the US$20 billion government software purchases over the next three years. So as (Richard) Clarke said, ‘We’re going to make our purchasing power a security tool,'”” Slodichak says.
The ability to influence the public’s behaviour, however, will be just as important. It’s easy to forget the Nimba worm, which caused damages estimated in the billions of dollars was launched Sept. 18. CSO or not, we all have a role to play.
“”It’s easy to control systems within the boundaries of a company, at least 99 per cent of the time,”” Slodichak says. “”It’s harder to go after millions of people whose computers could potentially be used as launching points for denial of service attacks or to be used as a mirror in a concealed attack.””
— With files from Gary Hilson