Evolution of the CSO

From incident reaction to proactive risk assessment, the CSO role has evolved dramatically. Next stop: new services and business operations intelligence.

1 2 Page 2
Page 2 of 2

Williams believes that CSOs and CISOs will need to be able to come to the table armed with knowledge around the risk to the enterprise they work in from a security standpoint and be able to put that in a business context that can foresee the economic impact and the frequency or likelihood of a risk event to occur. He also speaks passionately about the need for an effective security leader to work well as part of a team. He credits much of the success he has experienced so far at Caterpillar with the strong dynamic between members of his security department.

Williams concurs that the job of the new CSO is to be an executive with a security-functional expertise. But how the CSO engages and puts risk context into the business is an art and a science that each CSO will need to master to gain the respect Saffo referred to previously. It will take as thorough an understanding of a company's product line and economic drivers, in addition to risks. And it will likely mean knowing how to make the case for investment with limited resources. Williams believes that the number of security executives who hold MBA degrees will continue to grow in the future.

"You have got to develop a cohesive, understandable, clear strategy for how you are spending the company's money and what risks you are addressing as a result of that spend," says Williams. "The pressure will now be on the ability to logically and cohesively defend and advocate for dollars. It is a critical skill set we better have, or we are in trouble."

And for those who do have the necessary skills? A walk through the halls of Genzyme today might offer a glimpse. CSO toured the facility recently and had a chance to see Kent's state-of-the-art program that approaches security with an "all-hazards" view of risk. It includes an impressive monitoring room where staff members assess potential real-time risks to the company, looking at data from all over the world.

Such an all-encompassing view isn't confined to a basement operations center. Earlier this year, Genzyme combined security, risk management, competitive and technical intelligence under a single purview and changed Kent's title to vice president of global risk and business resources. Vastly different from his early days with the company as a security professional brought in to react to a negative event, Kent now takes a seat at the table with other executives in the company to discuss security strategy and risk assessment.

He is optimistic that this group will prove not merely reactive, but will grow in its ability to provide business intelligence.

"We are leveraging obvious synergies between the groups," says Kent. "The interesting work, though, will be discovering new connections and building the resulting services that we don't know about today."

Copyright © 2009 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Subscribe today! Get the best in cybersecurity, delivered to your inbox.