Congratulations. You're doing magnificent work. Don't let up.
Sure, you're getting a pretty good tailwind from the economy. Rotten times seem to increase everyone's appreciation for security. Poorly managed risk (thinking of mortgage-backed securities here) increases everyone's desire for well-managed risk.
Nevertheless, I don't think the sour economy accounts for all the positive results in our 2009 State of the CSO survey. The upshot is that security is very well regarded at this point in American corporate history, which means you've come a long way in less than a decade. The CSO, in many places, has become an important participant in effective organizational governance. More than ever, you're regarded not just as the person who bars the doors, but as a person who safeguards the value of the company.
See Senior Editor Joan Goodchild's recent look at this evolution of the CSO. There is great value in taking stock and recognizing achievements from time to time. After all, who doesn't need an occasional pat on the back? But as always, it's the future that interests me more than the past.
What happens to the CSO position in three years? In 10? And what should you be doing now in order to deliver a positive future, rather than simply waiting to react to whatever circumstances should befall you?
To repeat a point made in this space before, I think the future of the security department is about using the sensors you have in place (cameras, log files, card readers, investigations) to deliver actionable business intelligence back to the company.
Not just security intelligence. Business intelligence.
David Kent, Genzyme's CSO, hints at this in Goodchild's article when he says, "The interesting work will be in discovering the new connections and building the resulting services that we don't know about today."
Some of these services that security may offer in the future presumably will be relatively direct extensions of today's expertise. An example: brand protection. Tim Williams at Caterpillar sits on a new working group focusing on the challenge of brand protection. This brings security's expertise (search and investigation, for instance) together with legal and marketing and other departments. It's a broader application of the concept of security. (Goodchild explored this specific path forward in Brand Protection: The Expanding CSO Portfolio.)
Other services may utilize the security group's capabilities for nonsecurity purposes. Some security groups today manage all corporate air travel. Some handle all logistics for off-site executive meetings. Those aren't pure security tasks, but the capabilities developed by the security function are a great match.
In still other cases, security may simply hand off data it has collected. An oft-cited example would be using in-store loss prevention cameras to analyze foot traffic and customer behavior around merchandise displays.
And in really extreme cases, this data will provide the basis not just for tactical changes but actual business process transformation. Security company ADT, which calls this the pinnacle of their Levels of Integration framework, gives as an example the redesign of a retail supply chain based on data collected through RFID infrastructure.
Such services are, of course, a layer on top of more traditional day-to-day activities. Sometimes an access card is just an access card. Still have to protect assets and data.
But today's CSOs should be priming their systems for a future in which every security application is tuned to deliver as much business value as they can imagine, and even more.