Today's CSO: Business, relationships come first

As many CSOs reach retirement age, organizations find their 21st Century replacements will need a new set of skills and expertise than those who filled the CSO role just a decade ago

As Baby Boomers are leaving the corporate workplace to enjoy their time on the beach, in the mountains and in their RVs traveling across the country, corporate security departments are losing leadership talent more frequently than at any other time in corporate history.

A Global Chief Security Officer recently suggested that in a meeting of financial services CSOs he recently attended, the audience was made up mostly of CSOs who would be retiring in the next one to five years. He especially noticed the demographics in the room because he is fifty years old and is wondering which of his more senior global CSO peer's jobs will open up for him to explore for his own career advancement in the not too-distant-future.

Also see: 4 skills CISOs need now

In the past, the Chief Security Officer role was frequently filled by a retiring FBI, Secret Service, Military or Law Enforcement professional who came to the corporate environment directly from their federal employment. Not only were CSO jobs filled this way but once on board, CSOs much more frequently than their CISO counterparts tended to hire individuals who came from the same agency or unit where the CSO previously worked.

This hiring practice created an environment where disconnects frequently occurred between the corporate security department and the culture of the rest of the business focused organization. Business leaders expected these newly hired CSOs to immediately understand their business needs. How could this possibly happen without a proper mentoring and break-in period?

Business has changed. The dynamics that drive your business have likely changed since your organization hired its last Chief Security Officer. Chances are very strong that the way your company operates today is far more technologically driven than the way your organization conducted business in the past. Today, your organization faces significantly more US Government regulations. If you do business globally, your company must not only be in compliance with rules and regulations that exist in different countries around the world but also knowledgeable of the local cultures in which you do business.

In many companies, the CISO and CSO positions share space at the board room table with 'C' suite executives. A 'C' level security executive must have seasoned business skills, exceptional communication skills and the ability to create security objectives in support of ever-changing business strategic goals.

Who qualifies for a Chief Security Officer job now? A Human Resources Director responsible for identifying candidates for a Converged Chief Security Officer search to head up his companys information security and corporate physical security operations recently shared these comments regarding his expectations for candidates for his CSO job:

-Fit for us is more important than anything else.

-The nature of our business is relationship based.

-How you feel about the person with whom you're doing business is key in our organization.

This Human Resource Director's points were that for a CSO to succeed in his company, they would have to demonstrate an understanding of the business, have to have exceptional relationship building skills and would also have to have expertise in multiple domains of security, compliance and risk management topics at both strategic and tactical levels.

Emphasis was placed on business and relationship skills. Without sound business and relationship building skills, it did not matter what set of security, risk and compliance skills might exist in a security professionals tool box. Without solid business, financial, communication, strategy, collaboration, problem solving and negotiation skills, a CSO candidate would not be hired — nor would he/she ever be able to succeed in this HR Director's business environment.

The HR Director focused more on finding a CSO who fit his organization from a business and cultural standpoint than finding a CSO whose resume covered every security domain imaginable. His idea was to present CSO candidates to his executive team who demonstrated the ability to align security and risk solutions with the needs of the business and to turn to subject matter expert security consultants when specific security issues surfaced that may have been outside the chosen CSO's skill set.

Early on in his search process, the HR Director interviewed candidates coming directly from federal agencies. These candidates had no prior corporate experience. He found these candidates to be deeply talented in one or two security subject matter areas such as investigations or money laundering but did not find these candidates capable of immediately understanding the complexities of his companys highly creative and largely non-regulated business.

The HR Director decided that focusing on candidates who already possessed 10+ years of corporate experience would increase his odds of finding the right candidate. In the end, the chosen Converged CSO candidate demonstrated 10+ years of corporate security experience on top of a law enforcement background. This CSOs experience included a mix of deeply technical information security experience in addition to a well-rounded mix of physical security experience from his law enforcement days.

This candidate had already proven that he could make the transition from a career in law enforcement to a career in a for-profit business environment.

To be successful in this HR Director's highly creative and highly relationship driven company, a Chief Security Officer would have to be a business professional first and a security, compliance and risk management professional second.

The Profile of Your Next Chief Security Officer

Sure, it may be convenient and represent the path of least resistance to hire your next CSO the way you hired your last CSO but is that the right decision for your business?

Progressive companies are considering the ways in which business drivers have changed in recent years as they look at qualifications for their CSO role. Hiring authorities are considering that technology now drives their business and that their last CSO may not have had much if any technology experience.

Hiring authorities come to the conclusion that the next CSO for their organization needs significant experience aligning security and risk management programs with the needs of the business. These decision makers determine that their next CSO needs to have extremely well-developed interpersonal relationship building skills to enable them to connect with line of business owners across the organization to create a collaborative and teamwork driven environment that serves the business and does not get in the way of doing business.

Today's CSO must be a lifetime student. Given that threats are not just criminal in nature and now include cyber terrorism and cyber attacks from rogue nation states and cyber militias, today's security leaders and those of the future need to constantly stay abreast of increasing threats through continuing education and certification. Today's security leaders must be well versed in risk management topics and they need access to complex risk intelligence.

A CSO whose mindset is that of an enforcer and not an enabler of business will not fit their organization's needs moving forward. When looking at candidates, hiring officials are considering that security leader executives must be business professionals first and security and risk management professionals second.

These organizations understand that their next CSO will have a place at the board room table. These security leaders must be capable of building meaningful and collaborative business relationships and must communicate effectively with business people in the course of measuring risk, securing the organization and communicating risk and security issues to their non-security peers.

Identifying and Recruiting Your Next Chief Security Officer

There are many ways to identify and reach out to security talent today. Posting security jobs on job boards will lead a company to security job candidates who are actively seeking a new position at any given time.

This approach is fine if an organization isn't concerned about reaching security talent that falls into the top 20-25 percent of all security professionals. People who fall into the top 20-25 percent of their industrys skill level are seldom looking for a job and are most often gainfully employed by your competitors and need to be reached by direct and creative means.

In summary, compliance demands are increasing in most industries. As business is pushed to the Internet, risks and vulnerabilities will continue to rise. Those who cause security incidents to occur are sophisticated, educated, technologically savvy, often associated with organized crime, cyber militias or nation states and frequently perpetrate their deeds from the safety of a computer in a far away third-world country.

A CSO needs to be a highly-business-savvy executive who understands the value of building meaningful professional relationships. They need to identify and articulate risk issues. They need to be able to create security and risk management solutions that enable the business to do business and in no way slow the business down. They need to have a rolodex that includes deep relationships with peers, law enforcement and government agencies. They need to pursue continuing education and certification to stay abreast of increasing threats.

Is your organization's current CSO enforcing rules and regulations or are they enabling the business to do more business?

Jeff Snyder is the President of, an executive retained search firm highly specialized in global information security, corporate security and converged security recruiting efforts.

Copyright © 2011 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline