Security’s Identity Crisis

Leave it to the shrinks to come up with the very best way of describing a mess. By labeling the current executive security profession as suffering through an “Identity Crisis,” we mean no disrespect to individual CSOs. What we’re seeing, though, is a mess—an unformed role still rife with assorted uncertainties.

Not that the world itself hasn’t always been rife with vulnerabilities, but never more so than it is today. As fear of terrorism and geopolitical anxiety escalate, security seems to be on everyone’s mind. In the newly networked corporate climate, in particular, the need for a coordinated security effort is at an all-time high. And yet, just as the security function seems poised to make an entrance into the corporate ranks…there’s a steady flow of security executive layoffs. And only a marginal increase (at best) in security spending.

That’s the nature of the identity crisis: The CSO is not yet widely established as a legitimate corporate executive, although all the signs say that security should be more important than ever. Indeed, there’s precious little consensus about how to make the corporation secure—how the function should be organized and governed, who should lead it, what skills they need, and how to measure their effectiveness. Consultant Thornton May sums up the widely held perception of security in this way: Despite the very best intentions, CSOs “haven’t made their enterprises more secure—they’ve just centralized blame,” effectively giving the CEO one neck to choke, no matter what kind of breach has occurred.

Resolving the crisis will require a significant reworking of the security executive skill seta daunting, but not impossible, task. If precedent counts for anything, it’s worth remembering the evolution of the CIO. The title first appeared in the mid-’80s, when the CIO was simply known as “the data processing guy.” CEOs demanded return-on-investment calculations; CIOs countered that IT was a special case. “Standard business metrics don’t apply to us,” they’d say, the subtext being, “You, Mr. CEO, can’t understand technology.”

After suffering through years of misaligned IT departments, CEOs got fed up and yanked the technical guys out of CIO positions and replaced them with line-of-business managers who had no technical background. It was a wake-up call for many CIOs: Technology would, in fact, be subject to the same disciplines as other business functions. Today, an MBA is a more common credential for CIOs than any technical certification.

Early CIOs failed in the same way many security leaders are foundering today: They alienated themselves. A similar epoch may befall the CSO unless he can create certainty among senior executives that the security function is centered100 percenton making business possible and more profitable.

This special issue is designed to help CSOs breeze throughor even skipthat painful evolutionary stage. We surveyed more than 400 security professionals and interviewed dozens more CSOs and CISOs to extract keys for security executive success. Some of our stories present research results on CSO compensation and responsibilities. Some point to solutions for getting the job and keeping it. Some will help you organize your company’s security function for maximum effectiveness. Through this broad range of topics, a few common threads of advice are woven.

First, security must end its turf battles and present a unified front to business leaders.

Corporate and infosecurity personnel should do lunch, hold educational seminars, throw Hawaiian-shirt keg partieswhatever it takes to knock down the walls of mistrust. The security team must put aside power struggles, personality clashes and stereotypes to gain credibility from the rest of the organization.

Security must also stop sending business leaders negative messages. The message is not about what executives don’t understand or what they can’t do. Successful CSOs will be those who demonstrate an eagerness to listen to the business agenda and then work to make it happensecurely.

Finallyand this will be the mark of the security function becoming mature and embedded in business psychologyCSOs must find the places where security truly can serve as a differentiator for the business, a point that establishes customer trust vis-à-vis the competition.

Addressing such issues won’t solve every problem the CSO faces, but it will lay the foundation for a clear identitya well-defined, widely accepted position in the executive ranks from which to truly effect corporate change. It could be a long journey, and for many it will be difficult. The only thing harder is staying where we are now.