Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

Security Leadership: Carpe Diem

CSOs need to seize the opportunities that lie before them or give up their seat at the table.

By

July 01, 2004CSO — It's becoming clearer and clearer to me that members of the information security community are enamored with the CSO title and have taken it for their own. And apparently there's nobody to challenge them or to correct this overstatement of responsibilities.

In fact, this very magazine recently ran an article noting the creation of the Global Council of CSOs comprising highly regarded information risk management professionals. In it, Howard Schmidt was asked to comment on the apparent lack of inclusion of physical security in the Council's scope. Schmidt confessed that he's "been forgetting to do that." Unfortunately, such oversight sums up the current landscape where we CSOs are unable even to define the elements of corporate protection within our scope of responsibility. (I'm just as dismayed, by the way, at the prospect of a CSO who owns only physical security and investigations as I am by one who is the sole proprietor of information security.)

Why does this balkanized viewpoint bother me? Because security is fundamentally about risk. The business imperative is sponsored by broader, deeper and more immediate risk, and the consequences potentially include corporate and executive survival. Board members and senior executives can no longer think simplistically about securing their corporation with antivirus software and a physical security program comprising a low-bid guard contract and an access control system. CSOs need a business model that clearly defines the scope of security responsibilities and a job description that includes oversight of securing every aspect of the organization.

Problem is, none of us who allegedly know something about the business of security has effectively debated, packaged and sold an alternative model. Which is ridiculous when you think about it. I mean, you expect to find a fairly extensive business school curriculum and established corporate models on the functions of a chief financial officer. Not so for CSOs. And generally, everyone knows what a CIO or CTO is responsible for. Can you say the same for CSOs?

Ethics officers, whose association has only been around since 1992 (following the publication of the U.S. Sentencing Commission Guidelines for corporations), are apparently commanding salaries that would choke a horse. Yet do you really think stakeholders such as the American Management Association, the Society of Human Resource Managers or any other big-shot organizations have a clue about what an organizational model for corporate security should look like?

ASIS International has just published comprehensive guidelines on the CSO role. But historically, ASIS has not contributed to the development of a common framework for businesses to emulate. Hell, even the International Security Management Association (ISMA), which bills itself as the "worldwide organization of chief security officers," has a constituency that possesses almost as many titles as there are members, and the diverse scope of responsibilities among them are representative of the lack of a common organizational model. One-Stop ShoppingOf course, the notion that one size doesn't fit all is an important one. Every organization perceives security-related risk a little differently. And there are always vested interests. CIOs would likely opt for retention of infosec and business continuity planning. Legal officers and chief auditors have a stake in investigations, and HR has an interest in background checks. The facilities guys traditionally keep property and people protection in their portfolio of services.

RESOURCE CENTER