Much of the clout CSOs gain will come from the market evolving. In asense, the software makers create clout for the CSO by asking her todeploy the product for ever more critical business tasks. At somepoint, the potential damage an insecure product could inflict willdictate whether it will be purchased.

"Two years ago, the marketing strategy was to just get it out there.And some of the stuff that went out was really insecure," says theanonymous ISO at the large financial institution. "But now, we justsay, applications don't go live without security. It's asledgehammer."

And it's not a randomly wielded one either. His company has created aformal process to assess vendors' applications and his own company'ssoftware development as well. It includes auditing and penetrationtesting, and the vendors' conforming to overarching security criteria,such as eliminating buffer overflows and so forth. It's not unusual,the security officer says, for his group to spend $40,000 per quartertesting and breaking a single application.

"Customers are vetting us," says Davidson. "Not just kicking thetires, but they're asking how we handle vulnerabilities. Where is ourcode stored? Do we do regression testing? What are our secure codingstandards? It's impressive, but it's also just plain necessary.

"They have to be demanding. If customers don't make security a basiccriteria, they lose their right to complain in a lot of ways whenthings go bad," she says.