A Tough Corporate Job Asks One Question: Can You Hack It?

July 20, 2014


SAN FRANCISCO — Pity the poor chief information security officer.

The profession barely existed a generation ago. But to combat the growing threat of online breaches, companies and governments are hiring executives whose main responsibility is to make sure data systems are secure. When things go wrong — and they often do — these executives expect to bear the blame.

“We’re like sheep waiting to be slaughtered,” said David Jordan, the chief information security officer for Arlington County in Virginia. “We all know what our fate is when there’s a significant breach. This job is not for the fainthearted.”

Chief information security officers have one of the toughest jobs in the business world: They must stay one step ahead of criminal masterminds in Moscow and military hackers in Shanghai, check off a growing list of compliance boxes and keep close tabs on leaky vendors and reckless employees who upload sensitive data to Dropbox accounts and unlocked iPhones.

They must be skilled in crisis management and communications, and expert in the most sophisticated technology, though they have come to learn the hard way that even the shiniest new security mousetraps are not foolproof.

And they face a drumbeat of news about breaches — like the arrest of a Russian this month on charges of hacking United States retailers — that constantly reminds them of the stakes.

“We have to be correct 100 percent of the time,” said Tom Kellermann, the chief information security officer at Trend Micro, a security firm. Cybercriminals, he said, “must be correct once.”

A decade ago, few organizations had a dedicated chief information security officer, or CISO (pronounced SEE-so), as they are known. Now, more than half of corporations with 1,000 or more employees have a full- or part-time executive in the post, according to a study conducted last year by the Ponemon Institute, a research firm.

Companies like VeriFone, the electronic payments systems provider; Brown-Forman, the beverage company; the Universities of North Carolina and Chicago; and younger upstarts like Fitbit, are all looking for dedicated security officers. Neiman Marcus, which suffered a major breach last year, is seeking its first one.