Where you find a CSO

Finding an executive who possesses the potpourri of security skills necessary to succeed in the CSO role can be a formidable challenge. Actually finding one who also possesses the critical but intangible qualities of leadership, vision and integrity can seem next to impossible. But the search for a qualified CSO doesn't have to be a frustrating odyssey. Here are some hints on where to look and what to look for when filling the top security spot.

1. Steal a CSO With a small pool of qualified candidates and an increasing demand for their services, chances are pretty good that the CSO you want may already be doing the job at another company. Tracy Lenzner, CEO of LenznerGroup, an executive search company that specializes in CSO and CISO hires, notes that many organizations find their candidates at other companies and lure them to their new job. "[CSOs want to know] what kind of authority and visibility they'll have," says Lenzner. "Some have strong egos. They're visionaries, and they'll want to strategize. The ability to make changes and get results is what they hunger for." A CSO who is frustrated in any of those areas is just ripe for the pickin'.

2. Forget the Title Titles mean different things at different companies, especially in the security world. Those who hold titles similar to a CSOsuch as CISO, director or vice president of securityshouldn't be disregarded. Often those individuals are performing many of the same functions as a CSO or have been primed in a secondary role to eventually rise to a CSO position.

3. Look for a Star Although the security industry is small and quite insular, it has its superstars. "A renowned name can be a plus," says Lenzner. "It can bring instant credibility and is usually desired in a highly political environment or one that requires a high level of integrity and industry standing." In addition, CSOs who work the conference circuit and are sought after as speakers and commentators often have connections within the industry and within government that can be useful to an employer. However, Lenzner also cautions companies that are tempted to hire a security heavyweight that a big name is no substitute for performing due diligence prior to making the hiring decision. "As we know from Hollywood, there are always new superstars on the horizon," she says.

4. Scout the Services The military, law enforcement and three-letter-government-agency types have traditionally been a rich pool of CSO candidates. But while many of those individuals have the necessary CSO personality traitsstrong leadership skills and an understanding of the importance of character and ethicsthey sometimes lack the technical expertise to command the respect of the IT group and the communication skills necessary to form critical executive partnerships internally. One Fortune 100 CSO notes that, "Although I have a great deal of admiration for the FBI and people who have worked in the CIA or the Secret Service, I'm seeing a move away from that model."

Regardless of where you find a CSO candidate, certain experiences and qualifications can set the best apart from the rest. Many of the requirements that Lenzner suggests are clearly visible on a résumé or easily discovered in a preliminary interview. They should have:

  • Service in a security-related position
  • A demonstrated ability to gain confidence and credibility of executive leadership
  • A CPP and/or CISSP certification
  • Ten or more years of experience in information security (for CSOs in IT-heavy industries such as finance)
  • Strong knowledge of IT security, antiterrorism and cyberrisk issues

Of course there are plenty of duds out there, but they are easily identified if you know what you're looking for. CSO candidates that are arrogant or have a short fuse probably lack the finesse to gain consensus on security initiatives. Résumés that exhibit a lack of consistencyfor example, they've been bouncing from job to job rather than steadily progressing to a security leadership positionshould be another red flag.

The best step a company can take to land a good CSO is to work backward. Figure out what you want and need from a security executive before starting the search. "You have to know what the organization's strengths are and the areas that you want to improve on. Then ask yourself what you want to achieve," says Lenzner. Remember: Even the best CSOs will be doomed to failure if they can't figure out the role you want them to play.

-Daintry DuffyPeer to PeerVIEW FROM A RECRUITER

Qualifications for a CSO continue to evolve, save one prerequisite that remains constant: leadership.

Whether by regulatory mandate, board directive, or simply a sense of responsibility to the company and the community, you've decided to create the position of CSO and hire one. It's not unusual at this point to have a profound sense of "Now what?"

You're now stuck hunting a rare species. In recruiting executive security professionals for six years now, I can safely say that one of the few constants about the position is that there is always a shortage of qualified candidates.

You'll be inundated with résumés, anyway. All of them will boast of a certain pedigree from the military, law enforcement or, more recently, the intelligence community. While it's true that the majority of CSOsthose who hold dominion over corporate security as a whole and not just IT securitycan be found among these ranks, it's also true that this background alone does not a qualified CSO make.

The best CSOs, in fact, understand that they can't simply transplant military or police experience into the corporation, but rather they must adapt that experience. The same holds true for IT security specialists looking to move up the ranks to a broader security role.

Many candidates don't get this. I remember one candidate who thought he had the pedigree for a CSO position at a Fortune 500 company, but he stomped his way through the interview process like a cop, playing the role of the authority figure and the enforcer.

The company, naturally, was turned off and decided that, while he was technically qualified, his personality wasn't going to fit in. When the candidate heard the news, he lashed out, almost like a child, yelling and screaming about how stupid the company was for not choosing such a qualified candidate. He simply couldn't understand why it didn't pick him. I could see why right away.

On the other hand, when my recruiting job is easy, it's really easy. As tired as the cliché is, the best CSO candidates are a cut above all the others. There's nothing on a résumé that will delineate that. It's the intangibles. The applicants' ability to communicate, to listen, but also to provide a sort of discipline. They remain cool under pressure. They've handled crises. They are usually entrepreneurialand you see this now as many good CSOs take it upon themselves to go back to school and get MBAs, recognizing the increasing importance of a solid business background.

CSOs also have an ethical grounding that, frankly, is just stronger than most people's. Good CSO candidates exude leadership. I would argue that the CSO position requires the most dynamic leadership in the company after that of the CEO.

No wonder, then, that this is a rare species. The harsh truth may be that some companies will hire a CSO-in-trainingsomeone on the path to becoming that ideal leader but who hasn't yet gotten there. That will require extra support for the development of the executive from the rest of the executives but will be well worth it. You'd rather hire someone like that than someone like the guy who lashed out at not getting the job.

The evolving relationship between physical security and IT security is another factor to consider. When I started recruiting security executives, it was right before the Internet really took off, and I predicted that the CISO role would rise in prominence to the executive levelsitting in a very key part of the organization.

I was wrong. The future of the CSO will combine the traditional security group with IT security. That means a CSO will need to cross worlds (because the good ones are entrepreneurial, they'll go get the skills they need), but don't get hung up on a phy-sec specialist needing massive amounts of technical proficiency, or vice versa.

Far more crucial than that, the good CSO will play the role of orchestra conductor. He'll know how to get the best from the string section and the brass section, and he'll get them to play well together under the guidance of his baton.

Beyond the merging of tactical disciplines, the scope of the CSO role and its presence in the corporation will continue to grow, to evolve. I see the CSO serving the board in fiduciary and ethics issuesas dictated by legislation such as Sarbanes-Oxleyalmost becoming the board's ethical consultant. But what will remain a constant is the need for that CSO to be a leader and not just a manager.

Tracy Lenzner has been recruiting security executives for more than six years.Security Starts at the TopGOVERNANCE

People in the security industry don't agree about everything, but on the following point they generally see eye-to-security-conscious-eye: Weaknesses in user practices pose a greater threat to an organization's security than do any vulnerabilities related to technology.

Building a secure organization requires a culture change on every level. That's why, despite the fact that the security minutiae may fall to the CSO, ultimate responsibility for a company's security lies with the entire executive team. So as an executive, it's crucial for you to know what you can do to turn usersforgetful users, careless users, distracted usersinto the first line of security defense instead of your company's biggest vulnerability.

The first step? Recognize the dangers that lackadaisical users can wreak on a company's security. The next time your CSO says, "Have you heard the one about the...(insert horror story here)?" listen closely. Maybe it's a health-care employee who unwittingly made hundreds of medical records available on the Internet, or an office assistant who fell victim to a hacker's wiles and shared company passwords. Pay attention to the repercussions executives of the unfortunate companies suffered. Were they sued? Humiliated in the industry? You could be too.

Your next step is to begin to recognize what your company can do to protect itself. In most cases, the strongest defense is a watertight security policy. Don't know if your company has one of those? Find out. Ask the CSO to take you and the rest of the executive team through it step by step. The security policy should be written, easy to follow and readily available to everyone in the company.

Once the executive team is familiar with the security policy, the next step is to make sure employees are following it. While that doesn't mean the CEO should perform spot checks on employees' desktops, it does mean that the plans for educating the entire company should be clear. Do employees go through security training? What kind, and how often? Is the executive team comfortable with the level and amount of training required? How does the security team communicate policy updates? Are department managers responsible for enforcing security rules? If so, do they know that?

Finallyand this is where your leadership skills should come into playlead by example. Be beyond reproach in your meticulous attention to the security policy. Take extra care with your passwords. If members of the executive team make it their responsibility to become the most security-conscious people in the building, the rest of the company should eventually follow suit. You and the other executives in your company might not think security is the most interesting part of your job. But it's a safe bet that it's one of the most important.

-Meg Mitchell MooreImmune SystemsSoftware Security

Computer viruses, like human viruses, are not democratic. Some organizations have tremendous problems with viruses, others don't.

There are other similarities between digital viruses and their biological analogue. The first, of course, is communicability: Both kinds of viruses spread from infected systems to ones that are apparently healthy. Another is the potential for harm: Most viruses are a mere annoyance, but others can do serious damage.

But there is a key difference: Unlike human viruses, there are proven measures one can take to protect oneself from computer bugs.

1 2 Page 1
Page 1 of 2
SUBSCRIBE! Get the best of CSO delivered to your email inbox.