In Depth

How you fund a CSO

Genzyme's CFO-An exec who gets it; Finding security equilibrium; Are our harbors safe?; Better budgeting; What employees who travel need from a CSO; Protecting your company's intellectual property; A true story of employee termination

By CSO Contributor

Page 4

Companies need to think about the CSO role as part of their daily business life. While September 11 increased the awareness and need for CSOs, we know that you can't think of security in terms of one-time events. Our employees, our patents and our business are simply too important to take a chance. Think of it like electricity. When the power goes out for most of us, it's an inconvenience that means we might lose some food in the refrigerator. But the repercussions of a power failure increase significantly for someone on a respirator or other medical device that is vital to his life. Nonsecurity executives need to think about security the same way. The costs of a security failure can easily become a determining factor of a company's success or demise.

Michael S. Wyzga is corporate executive vice president, corporate controller, CFO and chief accounting officer of Cambridge, Mass.-based Genzyme.Be the TortoisePLANNING

As the United States prepared to wage war on Iraq, peace of mind could be had for $20 at the corner store. Duct tape, potassium iodide tablets and a 5-gallon jug of water were the celebrated "duct and cover" of the terrorism agebought, paid for and carried home in a paper sack. Here was something tangible that Americans could do, or at least think about doing: They could seal windows against chemical and biological agents, protect their families from radiation poisoning and have drinkable water in case the reservoirs were somehow poisoned. Problem solved.

But as the months went by with no new attacks on American soil, the water got drank and the duct tape unrolled, while the iodide pills gathered dust awaiting their expiration dates. Nothing had happenedso why bother buying more supplies? Crank the security threat dial-o-matic back to a one, kids, or maybe even a zero.

That is a human reflex, and one that plagues corporate America as well. For businesses, the sequence goes like this: Perceive a threat, probably because something terrible has happened, like a website defacement. Scurry around throwing money at the problem for a month or two. Then, when nothing else happens, decide the money was wasted. Ignore threat. Reduce funding. Shampoo. Rinse. Repeat.

We overreact when something bad happens and underreact when nothing happens at all. That's no way to approach security. And nobody understands that better than a CSO. In fact, a primary role of the CSO is to help your organization find equilibriumto ensure that you don't foolishly spend your wad on iodide tablets one day, when what you really should do is have ongoing family discussions about how and where you would find one another during an emergency.