Opinion

CSOs: Three and Out?

The "State of the CSO 2008" survey results indicate that the position has more staying power than it had in the past.

By Derek Slater

June 16, 2008 — I've had this cynical idea floating in the back of my brain for a while: The optimum tenure of a CSO might only be three years.

The reasoning, based on a lot of discussions with CSOs, looked something like this: Year one, you've probably been invited to clean up someone's mess. Year two, your new policies are getting traction, your budget is approved, your new systems are getting implemented. Year three, your benchmarks are showing the results of your labors. Awareness is up. Incidents are down.

But something else is happening in year three. Namely, some other leadership positions in the company have changed and new management doesn't agree with your priorities. Meanwhile, the people who've stayed are getting tired of your voice and some (or all) of the controls you've put in place. The mess you cleaned up has been more or less forgotten. (Which reminds me of the the story Locked Out from a few years back.)

At that point, you might choose to throw up your hands and "become a consultant" for a while, as so many security leaders do. The consulting lifestyle (in the instances where it isn't a euphemism for "looking for another full-time job") definitely has its downsides, but at minimum it ensures that the folks you're talking to are mostly not tired of your voice.

As I said, it's a cynical thought. Happily, when I look at the results of our "State of the CSO 2008" survey, I see reason for hope. Respondents say the importance of risk management continues to rise in the corporate world (even if regulations remain a primary driver). Senior managers (though not the average employee so much) demonstrate more and more of a grasp on their own security-related responsibilities. Security job tenures are even up.

Why is that? I think it's because you're doing a better and better job of speaking in the language that resonates with your fellow businesspeople. We've been conducting this research since 2003, and the percentage of survey respondents who have MBAs continues to rise slowly but steadily. That's just one data point, and the MBA isn't a cure-all for security. Nevertheless, I think it's a telling sign.

So now what? I think the business savvy that CSOs are showing has to be pushed aggressively to the rest of the security staff. Stronger security personnel yields stronger security. To that end, we've focused the articles in our June print issue on personal development areas that you can use to refresh your own memory and disseminate to your staff. We'll roll these articles out online over the week of June 16th.

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WHITE PAPER
Maximizing Site Visitor Trust Using Extended Validation SSL

VeriSignNow with Extended Validation (EV) SSL available from VeriSign, you can show your customers that they can trust your site. Learn about EV SSL benefits in the free VeriSign white paper.

» Read the Paper

Featured Sponsors
Sponsored Links

Manage your IT more effectively

Secure your virtual and physical environments with the same software

Simplify your data center with Juniper Networks. View the webcast

E-LOAN Maintains Reputation as a Privacy Leader with Symantec

Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands

Prudential Financial Protects its Brand with Symantec

Envision Identity-Based Access Control for the Datacenter

Digital Identity Protection and Data Security Get Personal

Welcome to the age of Service-Oriented Security (SOS)

When Customer Relationship is Everything, Businesses Bank on SSL Solutions

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

The Case for Business Software Assurance ~ Securing Your Applications

Maximizing Site Visitor Trust Using Extended Validation SSL

Solving Online Credit Fraud Using Device Reputation

Understanding Data Location is Imperative for Data Loss Prevention

5 Steps to Secure Outsourced Application Development

CA's IT Security centralizes your identity management to turn security into a proactive, business-building tool

Efficient - Flexible - Compliant

Any company can promise identity protection. Only Debix can prove it

7 Requirements of Data Loss Prevention

Information Security: Data Drains and How to Prevent Loss

How Are Open Source Development Communities Embracing Security Best Practices?

IDC Defines an Identity and Access Management Submarket

Using Likewise to Comply with PCI Data Security Standard

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Enabling Compliance with Converged Mainframe Security and Storage

Managing SSL Security in Multi-Server Environments

The Latest Advancements in SSL Technology

How to Offer the Strongest SSL Encryption

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

Get in Compliance With Government Data Regulations

Taking the Botnet Threat Seriously