"We have security like a government installation, but this is a creative environment and I'm not a general," Maness says.

Risk management can sound like a "Mission: Impossible" episode in large organizations with many lines of business, tens of thousands of employees, and lots of applications and networks to keep an eye on.

"I'm always on call," says Jalal Zamanali, senior vice president of IT and CISO at Temple-Inland in Austin, Texas, and its subsidiary Guaranty Financial Services, with combined interests in corrugated packaging, forestry, real estate, and financial services.

Although he has a security staff of 17 to stay abreast of IT projects, Zamanali says his top concern is making sure security controls are on track in terms of regulatory compliance rules related to the SOX (Sarbanes-Oxley) and Gramm-Leach-Bliley laws.

"The chief audit officer has to translate these laws into control points," Zamanali explains. Consequently, Zamanali — who reports to the chief risk officer — makes sure he meets with the chief audit officer about once a week to discuss compliance issues. "We've created a great partnership with the audit team," he says.

But Zamanali's worries don't stop with regulatory compliance. "Our job is to be political and technical, so I have to understand the objective of the business," he says.

That means making sure there are meetings with the CEO, the CFO, the CIO, and line-of -business managers to hear their plans and make sure appropriate security is part of it.

Beth Cannon, CSO at merchant bank Thomas Weisel Partners in San Francisco, says audits to provide evidence that security policies are enforced in IT systems and processes are her main worry.

"This was triggered by the fact that we went public last year," Cannon says. "In the IT department, we organize the evidence that shows we're following policy, only now the evidence has to be more structured for external and internal auditors."

Cannon says she's looking into how to more easily aggregate data into IT-related evidence for reports and to promote a change in IT department functions.

"Sometimes it's as simple as making sure there's a change-control ticket, for example, instead of just flying back with an e-mail," she says. "For IT, sometimes it means a fundamental shift in behavior."

What CSOs should be worrying about
Consultants and other industry experts don't dismiss the issues that CSOs and CISOs are worrying about, though they recommend a host of things that might warrant even more of security professionals' attention.

CSOs should worry about losing their jobs because all too often their stance on security is seen by upper management as overly technical or a bad fit, says Jon Gossels, president and CEO of consultancy SystemExperts in Boston.

"There is a mismatch between what the CSO is trying to accomplish and what the business expects," says Gossels, who adds that CSOs should be worrying about "how do you develop expectations for a business that are achievable?"

All too often, Gossels says, the top heads of security "tend to get fired. The CSO position is a very high-turnover position. They lose their jobs all the time."

Brad Johnson, vice president at SystemExperts, say one key worry that CSOs should have is where and how they're going to find and retain the best security-savvy employees.