In Depth

How you fund a CSO

Genzyme's CFO-An exec who gets it; Finding security equilibrium; Are our harbors safe?; Better budgeting; What employees who travel need from a CSO; Protecting your company's intellectual property; A true story of employee termination

By CSO Contributor

Page 5

Sure, the CSO has selfish reasons for wanting to find this balance. Nobody wants to see his budget slashed in half one year and doubled the next; that's disruptive.

But the CSO, in advocating for equilibrium, also has your company's best interests in mind. Securitygood security, that isis about risk mitigation, not response. It's about prevention, not reaction. And it's about long-term solutions, not quick fixes.

If something bad does happen, you may still need to react. Your organization's vulnerabilities might have changed, or maybe there's a new threat that needs to be addressed. But instead of cranking the security dial-o-matic from zero to 10 and then back down again, perhaps your CSO can help you nudge it from a five to a six.

None of this is quite as instantly gratifying as a new roll of duct tape, of course. But in the end, you'll be a whole lot better off.

-Sarah D. ScaletMoney Well Spent (and Spent and Spent...)BUDGETING

Stop viewing security as a cost center. Turn it into a business driver.

Nearly everything you do at the executive level is measured in terms of cost and benefit. You use raw data such as financial statements, actuarial tables and decades' worth of academically rigorous research to ensure that for the shekels you shell out, you're getting something in return.

Security, though, is different. Or it was different. Your CSO gets the message loud and clear that he should spend the least amount of money possible to protect the enterprise. Security has long been considered a function that requires spendingwith little or no measurable benefit on the investment. That's a discomforting thought when you're used to applying everyday business metrics to expenditures.

Security is a classic cost center. A comprehensive security programincluding physical and IT security, fraud prevention, workplace safety and intellectual property protectionis no longer optional, according to Tina LaCroix, vice president and CISO of Aon. What's more, she says, "It's a forever commitment, not a one-time expense."

Sounds like bad news. But it isn't. As security and the CSO role rise in prominence, executives will bring their CSOs and CISOsand their security requestsinto the world of business, where investments are rigorously measured as something that must be proven beneficial.

Traditional theories and models of risk management must be inculcated into the security world, known for its traditionally dogmatic view. "If you don't manage risk, you're going to lose money," says security consultant Steve Katz, a former CISO for Merrill Lynch, Citigroup and J.P. Morgan. "Companies have been great about looking at credit risk or the risks of a particular customer or region. Companies and regulators are simultaneously beginning to realize the importance of operational risk and information security as a component of it."