Maybe the single-most influential article on CSOonline.com has been What is a CSO? A number of people have helped big companies better understand the role—then create a better-funded and better-managed security function—by forwarding that article to a CEO, a CFO or an HR manager.
Here's a still more advanced way of understanding the CSO role and the business value of risk management.
In the 80s, Harvard business professor and consultant Michael Porter wrote about value chains. A simplified explanation of his theory is this:
Every company tries to build a great sales department. A great marketing department. Efficient financial systems. Excellent manufacturing operations. And because every company tries to make those functions great, it's very hard to get a big competitive advantage that way. Good departments are a basic requirement, likely not a competitive advantage.
The place to build competitive advantage, Porter said, is in how well those departments are connected to each other. Lots of value and speed is lost in passing information and goods between those functions. A company that takes the friction out of those interconnections will be faster, more nimble, better than a company that doesn't have the same fluidity.
If you apply this thinking to the CSO's role, you can see how to add value to your company. Instead of simply trying to "build a great security department", define your role this way: You are a connector. Your job is to help forge strong connections between other departments specifically on issues of operational risk. You reduce friction and thus build value in the value chain.
Here's a chart has been on my office wall for about four years. I find it very useful in explaining what CSO is about. It just dawned on me that you might find it useful too. (Hopefully I'm better looking than I am smart.)
The CSO is not in this diagram. You aren't the pie chart. What the chart depicts is how various executives and their functions have overlapping risk concerns. The job of the enlightened security leader is to help those executives see their common challenges and address them in a way that facilitates cooperation between departments.
A CSO doesn't necessarily "own" every slice of the pie. This has nothing to do with power or empire-building or even org charts. But a good CSO can see that every issue provides an opportunity to help connect the various functions within the company. Michael Porter says if you remove friction and solder smoother connections, you are providing a basis for competitive advantage for your organization.
Improve loss prevention and you've helped both the CFO and the COO. Improve your investigations processes and you're touching both Human Resources and Legal. Solid business continuity planning connects most of the functions on the outside of the circle.
This is why CSO continues to write about such a wide variety of topics. Because of the opportunity it presents to help security add value, to become a business-enabling function (a phrase much in vogue these days, which is gratifying since we've been pushing the concept since Issue One in 2002).
See something on the chart that you don't know as much about as you'd like? Need to brush up, to understand the connections better? No problem. Here's an in-depth look at each topic on the list, based on real-world examples from security leaders like you:
Fraud Prevention:ACFE: Going Broad on Fraud
Loss Prevention:Shoplifting and Organized Crime: Mall Rats
Business ContinuityBusiness Continuity and Disaster Recovery: The Basics
Safety/OSHASafety and Security: The Intersection
EthicsCorporate Ethics and Security: Case Study at American Standard
InvestigationsHow to Plan an Investigation
Background ChecksUndercover: Hard Questions About Background Checks
Workplace ViolenceHow to Prepare for Workplace Violence
Business/Competitive IntelligenceNext Stop for Security: Business Intelligence and Business Services
Intellectual Property ProtectionIntellectual Property Protection: The Basics
Brand ProtectionBrand Protection: The Expanding CSO Portfolio
PrivacyCPO and CISO: A Comprehensive Approach to Information
Information SecurityHow to Write an Information Security Policy
IS AuditInformation Systems Audit: The Basics