What is a CSO, Part 2
How security and the CSO can create business value and competitive advantage
By Derek Slater
December 03, 2009 — CSO —
Maybe the single-most influential article on CSOonline.com has been What is a CSO? A number of people have helped big companies better understand the role—then create a better-funded and better-managed security function—by forwarding that article to a CEO, a CFO or an HR manager.
Here's a still more advanced way of understanding the CSO role and the business value of risk management.
In the 80s, Harvard business professor and consultant Michael Porter wrote about value chains. A simplified explanation of his theory is this:
Every company tries to build a great sales department. A great marketing department. Efficient financial systems. Excellent manufacturing operations. And because every company tries to make those functions great, it's very hard to get a big competitive advantage that way. Good departments are a basic requirement, likely not a competitive advantage.
The place to build competitive advantage, Porter said, is in how well those departments are connected to each other. Lots of value and speed is lost in passing information and goods between those functions. A company that takes the friction out of those interconnections will be faster, more nimble, better than a company that doesn't have the same fluidity.
If you apply this thinking to the CSO's role, you can see how to add value to your company. Instead of simply trying to "build a great security department", define your role this way: You are a connector. Your job is to help forge strong connections between other departments specifically on issues of operational risk. You reduce friction and thus build value in the value chain.
Here's a chart has been on my office wall for about four years. I find it very useful in explaining what CSO is about. It just dawned on me that you might find it useful too. (Hopefully I'm better looking than I am smart.)
The CSO is not in this diagram. You aren't the pie chart. What the chart depicts is how various executives and their functions have overlapping risk concerns. The job of the enlightened security leader is to help those executives see their common challenges and address them in a way that facilitates cooperation between departments.
A CSO doesn't necessarily "own" every slice of the pie. This has nothing to do with power or empire-building or even org charts. But a good CSO can see that every issue provides an opportunity to help connect the various functions within the company. Michael Porter says if you remove friction and solder smoother connections, you are providing a basis for competitive advantage for your organization.