The evolving role of the chief security officer

Rethinking effective risk management for 2017

cso50 intro
Credit: Steve Traynor

It wasn’t so long ago that a Chief Security Officer’s (CSO) job was relatively straightforward: secure the premises by focusing on facility access, guard services, and camera surveillance. Yet today, CSOs are charged with mitigating an array of interdisciplinary and intersecting risks across the enterprise.

Remote access to buildings, interconnected air handling units, and remotely monitored vending machines all provide potential new entry points for threat actors. Emerging regulations, such as SEC rules that affect business continuity and transition plans, also compound the pressure on CSOs to address the complexity of this risk landscape and integrate new mitigation strategies and tactics into traditional physical security processes.

Consequently, the CSO’s role is evolving into a mission-critical service that spans risk areas ranging from data protection and vendor due diligence to regulatory requirements for business continuity and compliance management.

Addressing the changing threat landscape

Today’s CSOs must manage risks spanning five multidisciplinary areas that have not traditionally intersected with the narrow scope of safety and security, covering policy development, resource procurement, and execution to mitigate threats, vulnerabilities, and risks in the following spheres:

1. Cyber and Information: Data protection, intrusion testing, data breach and recovery, economic espionage, and internal threat assessment and privacy.

2. Legal and Regulatory: Litigation support, regulatory liaison and investigation, and remediation efforts related to financial crimes, fraud and corruption, and whistleblower litigation. 


3. Diligence, Business, and Geopolitical Intel: Transactional diligence, commercial diligence and intelligence, employment screening, internal investigations, and geopolitical risk assessment. 


4. Governance, Risk, and Compliance: Audit expertise, risk, insurance, and reputation management.

5. Medical and Psychological: Employee counseling, crisis intervention, employee productivity, and workplace violence.

Three pillars of protection

CSO wordjumble Jonathan Wackrow

In order to manage the responsibilities associated with these risks, CSOs can prioritize their strategic objectives and tactical actions using the following framework:

1. People: Identify and acquire key personnel to support development and growth of the organization’s corporate security department. All relevant employees must be trained in security and safety initiatives and be able to implement communications plans. Further, all employees must be trained and encouraged to identify safety and security concerns and provide feedback. CSOs must also identify preferred vendors and partners to support in-house efforts to respond to changing risk environments.


2. Process: Prioritize utilization of vulnerability assessments to ascertain potential impact threats have on the organization. This, combined with benchmarking levels of security awareness, emergency preparedness, and compliance with established policies and procedures will inform specific initiatives for holistically understanding the entity’s security ecosystem.

3. Technology: Employ technology solutions and security systems to assist decision-makers in better utilizing the critical information and resources at their disposal.

Three steps for better leveraging the CSO

At the organizational level, the CSO is an integral stakeholder. Too often, however, the CSO is overlooked, under-resourced, and underutilized. Below are three steps that companies can take to better leverage this critical resource:

1. Ensure CSOs have the resources they need. CSOs often grapple with the need to demonstrate repeatedly the ROI of increased security costs. Resource and budgetary constraints can limit a CSO’s ability to effectively hire security staff and invest in new tools, but these shouldn’t force a trade-off between managing risk and scaling resources in an increasingly complex world. 


2. Provide CSOs access to relevant information and expertise. To succeed in this expanded role, CSOs will need access to information that helps them to identify risks that can adversely affect the safety of personnel or the security of facilities. CSOs will also need the authority to engage with individuals at all levels of the organization and the ability to go outside of the organization to find expertise when needed. By analyzing information and coordinating activities with both internal and external stakeholders, a CSO can better ensure that his/her company is prepared for the possibility of a security incident.

3. Focus on long-term, developing threats. Organizations traditionally tend
 to prioritize current risks over long-term, developing threats. For example, prevention programs for workplace violence and employee monitoring for pre-attack behaviors often take a back seat to promoting basic internal security awareness. Focus on short-term risks can limit a CSO’s ability to understand future resource requirements. Today’s strategic-level CSOs adopt a longer-term view to anticipate emerging threats and to implement proactive mitigation measures that decrease the likelihood and impact of future incidents.

The bottom line

At the organization level, companies should empower CSOs to play a more strategic part in overall enterprise risk management plans. By leveraging their CSOs’ experience, knowledge, and relationships in advance, organizations can facilitate more holistic and proactive planning. CSOs can also use the framework of “people, process, and technology” to prioritize identifying and remediating vulnerabilities arising from new cyber and information security concerns; emerging legal and regulatory requirements; geopolitical threats; governance and compliance obligations; and employees’ medical and psychological well-being.

By harmonizing both organizational and CSO objectives, companies can strengthen their enterprise security posture, implement processes necessary to address threats and realize gains in both the bottom line and overall business efficiency.

This article is published as part of the IDG Contributor Network. Want to Join?

Cybersecurity market research: Top 15 statistics for 2017