Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

Change Management: Hurdles Cleared In a CSO's First Year

A new CSO learns that it takes support from the top and a strong business background to lead organizational change

By

September 01, 2004CSO — I've recently finished my first year as a chief security officer, and it has been interesting to say the least. I don't like boredomand this job hasn't disappointed.

In our company, assignments such as mine are part of a long-term plan for moving midlevel and senior managers into various positions. This is both a professional development strategy, and a way to get people from different backgrounds to collaborate. It works. I have an MBA and have worked at this company my whole professional life. Our business is both technology-dependent and intellectual property rich. But frankly, I'd not taken much notice of security prior to considering the CSO job. I entered into it thinking the role might be a career cul-de-sac.

I was wrong. I've been in several business lines: worked in finance, internal audit and HR. But I never before had the perspective on our company's business that this assignment has offered. Admittedly, the view is not always pretty. But the work has repeatedly challenged my ingrained desire to deliver a valued service.

My central challenge was both professional and organizational. I was installed to act as a change agent, to make corporate security an essential factor in the decisions that our top executives and board of directors make. There was also the hurdle of fitting in with professional peersan illuminating experience for a new CSO without a law enforcement or information security background.An Old Way of Looking at ThingsMy predecessor had been here for years and had come from a law enforcement background. His approach was low-key in visibility and traditional in scope. He took care of guards, locks and alarms, but he lacked the ability to make senior management smarter about real issues of security and risk. There wasn't much discussion about "what if" scenarios, and he didn't convey senior management's expectations for security to the rank and file. So, many employees saw protecting this enterprise as somebody else's job.

Those management expectations rose in recent years: Increasingly, insidious threats to our technology infrastructure and the reality of domestic terrorism posed critical risks. Federal regulations such as Sarbanes-Oxley significantly raised the bar on corporate integrity.

Our CEO saw these developments as a wake-up call. He reorganized our board of directors and ordered a top-down review of our controls. As a senior auditor at the time, I led that review. With the lights shining on the whole governance infrastructure, the shortcomings of our system of controls glowed in the dark. We were not anticipating risk. We failed to seek out vulnerabilities in business processes. Friendly audits were not revealing. While our company has a culture of doing the right thing, the lack of an embedded policy infrastructure clouded our expectations around integrity. Security was seen as an impediment to productivity.

RESOURCE CENTER