How you measure a CSO

When profits go up, the CEO gets a good review. When revenue goes up, the CFO gets a good review. When operating expenses go down, the COO gets a good review.

But when nothing happens, the CSO has ostensibly done his job, and yet he gets pelted with questions: "Why are we spending all this money on security if nothing is happening?" or "How do we know the money we spent actually prevented incidents?" or even "Why can't we cut your budget since it seems like we're at a low risk for security incidents right now?"

The CSO role is unique when it comes time for an annual review or a bonus. How do you measure the CSO's effectiveness when success means that nothing happens, and when nothing happening might just be dumb luck?

It's harder to review a CSO's performance than, say, that of a CFO, but it's not impossible. It's a matter of gathering circumstantial evidence by asking the right questions. Here are some guidelines.

Do not keep score. To paraphrase a famous crass saying, incidents happen. If your company suffers a security breachinternal or externalthat is not, in and of itself, grounds for docking points on your CSO's scorecard. In certain egregious cases, it might be obvious that the CSO didn't do what was needed to prevent an incident (for example, he had no policy in place to restrict building access), ora pattern of incidents could show failure at the CSO level. But in the vast majority of cases, security incidents cannot be predicted, only prepared for and effectively mitigated.

So while the impulse may be to simply tick off all the bad stuff that happened in your CSO's tenure, that's not the way to judge his overall performance.

In the event of an incident, note how the CSO responds. A good CSO is calm under pressure and will be a natural leader during a security crisis. If you are unfortunate enough to suffer an incident, even a minor one, watch the CSO as he deals with the breach. Is he taking charge, or is he immediately blaming others for not following policy? Does the CSO seem prepared to deal with the incident, or is the response sporadic and reactionary? If it's an internal incident, is the CSO prepared to take disciplinary measures? And are those measures standard and consistent, or do they seem arbitrary? If one employee gets suspended for e-mailing sensitive data, every employee who does that must be suspended. No exceptions! Inconsistent enforcement of policy will doom security.

Does your CSO remain in contact with the board during an incident, and is that communication clear and concise, or is he fudging the story and making excuses? You can learn so much about the CSO in crises.

Of course you'd rather not have to learn that way, but, like we said, incidents happen.

Look for basic business prowess. The CSO who complains that it's impossible to show how good a job he's doing is not doing a good job. True, ROI metrics are hard to come by with security, but they do exist. And in lieu of metrics, the CSO can still provide qualitative examples of good business practices. Is the security operation efficient? Are policies, technologies and incident response plans standardized? Are they reviewed regularly? Has the CSO adopted risk management to plan security expenditures strategically, or is he just trying to use fear and anxiety tactics to get funding or buy-in?

The good CSO will also communicate like a businessperson and align security with the business, not the other way around.

Gauge how security has been accepted or rejected by employees. Successful education and awareness of the staff is another sign of an effective CSO. A company where employees know not to paste passwords on their computer monitors or let strangers "tailgate" at locked doors (that is, the person with the swipe card holds the door open for strangers) probably has an excellent CSO.

A "culture of security" can be infectious and quite successful. On the other hand, a heavy-handed CSO who constantly imposes rules and disciplines employees can create a sense of lockdown, which is counterproductive.

Above all, look for overall leadership. Leadership, of course, is a know-it-when-you-see-it phenomenon, and by the time you're ready to give the CSO a review or measure his performance, you should be able to do it effectively, even if nothing has happened.

-Scott BerinatoPeer to PeerVIEW FROM THE CSO

To say that these are challenging times is the height of understatement. We are reminded every day, for example, of the potential for unconventional (or even conventional) warfare between nations, or of the once merely envisioned reality of facing weapons of mass destruction, or of the catastrophic consequences of electronic attacks against national infrastructures. CSOs work every day in an environment where crime is borderless, where it can occur in microseconds due to the electronic age, and where it is often facilitated by lack of cooperation between governments and agencies. International laws and treaties to address 21st-century crime seem to have been crafted for the age of steamships. Complexities are further magnified by the fact that modern crime may be spawned in one country and passed through several jurisdictions to instantaneously attack victims in multiple other locations. And in the past few years, more and more corporations and individuals have failed to act responsibly as stewards of shareholder and citizen trust.

As a security professional with four decades of experience, I am proud that security leaders have been exemplars in the demonstration of trusted relationships and have acted as custodians of the corporate and institutional consciences. Security leadership has gained in stature through performance and demonstrated value. The profession has risen, in a sense, from the boiler room to the boardroom.

Although the path to becoming a CSO has changed over the years, security executives have typically moved laterally into security leadership from a successful first career in government, law enforcement, the intelligence community or the military. By definition, such individuals come from a culture of discipline, mission accomplishment, knowledge of the global arena, and an ability to cope under pressure or surprise. These achievers often bring a driving personality or a sense of competitiveness to their new careers.

Such loyalty to the job, employer and function is ideally complemented by the significant integrity, honor and ethics that I've seen demonstrated over and over again by those who hold the extremely responsible and sensitive position of CSO. There is a sense of comfort with one's self and with one's position that is conveyed, for instance, in being willing and eager to develop subordinates to excel beyond themselves, and then to endorse such individuals to seek greater responsibility either with the current corporation or elsewhere. Other O's are recognizing and honoring their CSOs as true business partners in advancing the values, objectives and successes of the corporation.

These CSOs also recognize that they can find strength rather than risk by seeking out their peers in the business community. Happily, because of an informal code of trust between CSOs in competitive corporations, they can share knowledge without compromising proprietary issues. Security executives have developed formal and informal relationships to share lessons learned and form a common front against terrorism, global crises and cybercrime, and so on. It is an exhilarating experience to witness a candid exchange of tactics, techniques, methodologies, policies and standards in a forum bounded by trust, integrity, mutual respect and notable absence of any hidden agenda.

I am personally aware of instances of security executives returning proprietary informationinadvertently or deliberately acquired by their companyto a competitor with assurances that the information either was not compromised or would not be used in any manner.

Yes, the profession of the CSO continues to be, in my eyes and experience, a culture where trust, integrity, honor and collegial respect are the beacons that guide daily behavior. I am proud to be part of this valued community.

Ray Humphrey is the only person to have held the position of president at both ASIS International and the International Security Management Association, which he also cofounded.Pass the AspirinRISK MANAGEMENT

Worriers. You know the type. Anxiously in evidence at raucous parties in third-story walk-ups, where they spend the whole time fretting about whether the floor is structurally sound enough to withstand all the dancing. They hustle around the place emptying ashtrays and moving drink glasses from the edges of tables. And later, you find out it's not even their apartment!

That's your CSO when it comes to the viral orgy of adoption of certain hot technologies. Every fiber of his being is crying out, "Wait! Be careful! These things aren't secure!" But the din of the partygoers is so loud that no one can hear the warnings, let alone heed them.

Even in this down economy, leading-edge or unstable technology is flowing into businessesoften unofficiallyadding significant risk to the computing infrastructure. Consider Web services, IM, wireless networks and PDAs. In each case, the technology brings with it vulnerabilities that can expose your network to unwanted access by outsiders.

These new technologies illustrate a frightening truism: the idea that you can build a wall and control everything on the inside while keeping disruptive elements on the outside obsolete. And therein lies the rub. For a CSO, the main byproduct of all this eager proliferation is heartburn. Faced with inherently insecure technologies that are also enormously popular with users, the CSO (who may hold an absolutist's view of keeping the enterprise safe) can end up in a conflict with his own internal customers.

It's a situation that cries out for middle-ground solutions, as well as for a transfer of "informed accountability" to the business executives who must ultimately decide what level of risk is tolerable. As it turns out, good security is not about secure technologies; it's about good administration, effective policy development, smart risk management and adroit negotiation.

Along the way, CSOs are often tempted to simply pound their fists and, well, ban something. Consider the case of Paul Clark, EDS's London-based chief security and privacy executive, who sent out a memo to employees serving notice that the company would begin blocking access to all instant messaging sites because of the security risks. Within a week Clark had to modify the ban. Executives using IM as a cheap way to communicate with customers balked. As an alternative, EDS dedicated a secure port for IM services and limited use only to individuals with a high need for IM capabilities. "It's not a negative thing," says Clark of IM. "It's what the information world is about. But it has to come with controls."

Perhaps the best long-term hope for CSOs, however, is to provide clear-eyed analyses of the vulnerabilities imposed by various technologies and recommendations on how to best mitigate the risks. Then it falls to the relevant business executive to make an informed call about whether the risks outweigh the accompanying opportunities.

That obligates CSOs to become great communicators, able to interpret and discuss the interplay of business objectives, the range of potential threats associated with them and the costs of mitigating those threats. What most enterprises will also need to address is the reactive posture CSOs are forced into because of the ungoverned way in which technology often infiltrates business organizationsstealthily, user by user, and without the approval of anyone who has a broad view of the IT architecture.

Technology throws some legendary parties. But you don't want to have to call the police to break them up.

-Daintry Duffy and Lew McCrearyThe Public Face of SecurityHow security is effecting change in public spaces and architecture

Since 9/11, security has become a public phenomenon and part of the popular discourse. How much security do we need? Do we need more surveillance? Who needs to be informed when the threat alert elevates? Is it really useful to have an antiaircraft gun deployed at the Washington Monument? About the only noncontentious statement that one can make about security as a fact of life is that, in general, it's gotten to be a public impediment. Ugly and in the way.

1 2 3 Page 1
Page 1 of 3
New! Download the State of Cybercrime 2017 report