Identity Crisis

Amidst terrorism threats and world turmoil, you'd think that support for security would be at an all-time high. You'd be wrong.

June 01, 2003 — CSO — Leave it to the shrinks to come up with the very best way of describing a mess. By labeling the current executive security profession as suffering through an "Identity Crisis," we mean no disrespect to individual CSOs. What we're seeing, though, is a messan unformed role still rife with assorted uncertainties.

Not that the world itself hasn't always been rife with vulnerabilities, but never more so than it is today. As fear of terrorism and geopolitical anxiety escalate, security seems to be on everyone's mind. In the newly networked corporate climate, in particular, the need for a coordinated security effort is at an all-time high. And yet, just as the security function seems poised to make an entrance into the corporate ranks...there's a steady flow of security executive layoffs. And only a marginal increase (at best) in security spending.

That's the nature of the identity crisis: The CSO is not yet widely established as a legitimate corporate executive, although all the signs say that security should be more important than ever. Indeed, there's precious little consensus about how to make the corporation securehow the function should be organized and governed, who should lead it, what skills they need, and how to measure their effectiveness. Consultant Thornton May sums up the widely held perception of security in this way: Despite the very best intentions, CSOs "haven't made their enterprises more securethey've just centralized blame," effectively giving the CEO one neck to choke, no matter what kind of breach has occurred.

Resolving the crisis will require a significant reworking of the security executive skill seta daunting, but not impossible, task. If precedent counts for anything, it's worth remembering the evolution of the CIO. The title first appeared in the mid-'80s, when the CIO was simply known as "the data processing guy." CEOs demanded return-on-investment calculations; CIOs countered that IT was a special case. "Standard business metrics don't apply to us," they'd say, the subtext being, "You, Mr. CEO, can't understand technology."

After suffering through years of misaligned IT departments, CEOs got fed up and yanked the technical guys out of CIO positions and replaced them with line-of-business managers who had no technical background. It was a wake-up call for many CIOs: Technology would, in fact, be subject to the same disciplines as other business functions. Today, an MBA is a more common credential for CIOs than any technical certification.

Early CIOs failed in the same way many security leaders are foundering today: They alienated themselves. A similar epoch may befall the CSO unless he can create certainty among senior executives that the security function is centered100 percenton making business possible and more profitable.