• United States



by CSO Contributor

What you pay a CSO

Sep 18, 200322 mins
CareersCSO and CISO

Security salaries are still shaking out as the executive-level security role comes into its own. That’s because the story of the typical CSO is not a simple one. Just about every security officer out there is a variation on a theme. Likewise, there’s no clear consensus on exactly what a CSO’s worth isnot among recruiters or even CSOs themselves. CSO research indicates an average salary of about $125,000, but the gap is wide. “Large companies hiring security executives can pay up to $500,000,” says Marc Lewis, president for the North American division of Morgan Howard, a global technology executive recruiter.

As part of our annual compensation survey of more than 400 security executives, we asked CSOs to give us an idea of how much they make, what their jobs entail, what their professional titles are, how long they’ve been at their jobs and in what industries they work.

The results were not what we were expecting. Our respondents indicated that having a C-level title doesn’t necessarily translate to a higher salary. In fact, most of the respondents at that level are making about the same in terms of total compensation, regardless of titlein other words, security managers earn basically what CSOs do. Compensated most highly are vice presidents or directors, but only 8 percent of them make more than $300,000 per year.

We may have been caught off guard, but the lack of a connection between title and compensation was no surprise to CSOs we talked to. According to Marcia LaManna, corporate director of systems security for Lifetime Healthcare, title isn’t the point. “I don’t care much about title,” LaManna says. “I’m the last word on security at my company. If I were at another company, I’d probably have the CISO or CSO title. But I don’t think the C in the title matters in terms of salary.”

A security manager at one company can be doing the same job as an executive vice president or a CSO at another. That’s probably why, at least for now, compensation levels are predicated more on the scope of the CSO’s job responsibilities than on title.

In general, though, companies have been slow to define that scope, which means they don’t know how to properly compensate the people they hire.

Clearly, industries with a high risk level tend to pay higher salaries to their security executives, says LaManna. Salaries in health care, for example, are starting to reflect the increase in security responsibilities caused by demands for data privacy in the Health Insurance Portability and Accountability Act, she says. As expected, the financial sector pays more than mostbut high-tech companies showed up at the top of the scale in our research. “The computer industry pays more because, until recently, it was the hottest thing around,” says Rob Graven, a managing director specializing in technology and security services for Boyden Global Executive Search. “Computer and software companies have had the biggest IT departments with the largest budgets, and even though the boom is over, the salaries have held.”

CSO salaries probably won’t experience any major ups or downs for a while, says Graven, who sees greater demand for qualified security personnel developing. “The CSO role needs to gain greater definition and become more of a known quantity to corporations and CSOs alike,” he says.

-Derek Slater


Contra Costa County, the sixth-largest county in California, hired its CISO Kevin Dickey back in 1996 to address glaring weaknesses in its information security posture. Dickey previously was in charge of security for the state’s lottery system. At Contra Costa, he reports to CIO Steve Steinbrecher, who says Dickey has driven Contra Costa toward dramatic improvement in its security policies, architecture and compliance but had to sharpen his marketing and soft skills to get the job done.

When I got here in May 1995, security was high on my list. We brought in Stanford Research Institute to do a security review of county security practices and infrastructure. When our CEO saw the report, he was not just stunned. He went nuclear.

He said this is just unacceptable. He and I presented the report to all the county department headsit would be the equivalent of all the other O’s in a private-sector corporationwho said, “We don’t have the budgets to pay for this.” But the CEO was determined to fix the security issues and charged me with developing a job description and bringing in someone to build the security strategy, policies and procedures.

Now, I believe that the CSO should absolutely report to the CEO. In our case, county government is like a huge, diversified, multinational corporation in which all the business units have different products and don’t have to work together. The CSOin order to build security into a company’s business strategy and build up the defense perimetershas to have the same level of visibility that the CIO has. I made that argument to my boss, who said, “I already manage 40 business unit heads, so I need you to handle it.” So against my better judgment, our CSO reports to me.

Honestly, there wasn’t a whole lot of acceptance of what Kevin was trying to do for the first three or four years. People are really resistant when it comes to security issues. In America, we have a real problem with people monitoring our phone calls or e-mail traffic. It takes a long time to teach peoplethis isn’t a “personal” computer; it’s a corporate asset that belongs to the taxpayers. It’s hard to get that across, especially to lower-level workers. The CEO and I got a lot of pushback from the departments.

Then in 2000 an extremely uncomplimentary e-mail message about a county employee was sent to every person on the county’s e-mail list. That got people’s attention. That and 9/11 were two big turning points.

But we’re not like the private sector in that the CEO can come down with an edict saying, “You guys either do it this way or you don’t get any dollars.” In county government, we have to do a lot more marketing and a lot more selling to get people to go along with the program. Kevin’s right down the hall from me, and we talk almost every day in person. Kevin has a staff of three other people. They set policy pretty much on their own, unless there’s some kind of a political issue.

One thing I focus on with a new senior manager is getting him through charm school. Many security guys have a tendency to look at things like cops do. That was probably Kevin’s biggest educational challenge coming in. The state of California [where he previously worked] is this huge bureaucracy, and it has a desk manual procedure for everything. County government is a lot more loosey-goosey. It requires more sensitivity, better marketing skills. My organization works very hard on those charm school skills, and Kevin probably spent his first two years learning that, getting smacked around by the department heads.

You have to go in with a solution, not just tell people no. For example, we had an issue with AOL Instant Messenger. Our corporate counsel stood up and said, “I want to give a testimonial for Kevin and Steve. I had this problem in my department, and I immediately called an all-hands meeting and said, ‘If I find one module of IM on a desktop in this department, heads will roll.'” They turned that whole issue over to Kevin and me and our wide area network (WAN) group and said, “Please find a solution for us.” And we’re going to do that using active directory services. Again, you just can’t go to people and say, Don’t. You can say, “This is unsafe, you could get yourself in real trouble here. However, I do have a solution, and you’re going to have to bear with us for 60 days while we roll it out.” And truthfully, that was an area where Kevin had to learn.

But we went from having a very fragmented, uncoordinated network and corporate messaging infrastructure to having an extremely robust, well-protected, five-nines-reliable WAN, with really good corporate messaging and Internet services. That’s basically a result of Kevin’s guidance together with some really talented telecommunications and system support people. Aside from one department that runs Microsoft products by state edict, we’re never down and we don’t have virus problems, knock on wood. And my peer group, they respond to that.

Steve Steinbrecher, who was CIO of Contra Costa County since 1995, has worked in IT since 1972. Nothing to Fear METRICS

Your CSO knew it had to happen sooner or later: Security’s mystique would fade and other executives would question its benchmarking techniques.

And your CSO’s tactics for getting his own wayby using fear, uncertainty and doubtis no longer going to work, either. And it’s about time (see “6 Ways to Fend Off FUD,” next page).

Executives are weary of scare tactics and gloomy games of “what if the sky falls” from their CSOs. Instead, they’re now demanding from the CSO what they’ve expected from every other department all alongmetrics. And if the knee-jerk reaction to this perfectly reasonable request is “But that’s impossible in security,” then stop your CSO right there. Tell him that a very reliable source (OK, us) told you that’s simply not true. Because it isn’t. Many metrics that justify the cost of security are available now; still more are in development.

The mystical world of security is finally getting measured for a couple of reasons. First, vendorsdesperate for business from increasingly careful potential customershad to create metrics to get anyone to even consider their products.

Second, some security experts and academic and private researchers simply thought the time had come. They decided to calculate this stuff as if it were any other business investment. Which it is.

Finally, the security world sensed that executives were getting wise to their scare tactics. After all, that works only if the boss believes there really is a wolf when the CSO cries. It’s no longer tenable for a security executive to plead that hobgoblins such as return on security investment (ROSI), cost-benefit studies and risk analysis don’t apply to the realm of security. They do.

So go ahead. Demand metrics from your security team. To help, here are just a few metrics we can rattle off:

n In a special report on ROSI, security consultancy @Stake calculated a 21 percent ROI when developers build security into products at the earliest stages of software development (to view the report, go to Translation: Spending up-front to secure software pays off big.

n Improved software testing can shed 30 cents off every dollar lost to buggy software, according to a landmark National Institute of Standards and Technology (NIST) study ( Translation: Investing in quality assurance up-front can save big money later.

n A software bug that costs $1,000 to fix in the earliest phase of development will cost $30,000 to fix post-deployment, according to the NIST study. Translation: Investing up-front in bug fixes can save tons of cash.

Incidentally, in every case, metrics have proved that investing up-fronttypically the easiest time to ignore or put off security spendingpays off.

-Scott Berinato 6 Ways to Fend Off FUD MANAGING FEAR

When all else fails to secure funding for securityand much of the time, all else does failit’s not uncommon for the desperate to resort to spreading fear, uncertainty and doubt (FUD) about security threats in order to get your attention, and your budget dollars.

It is not done blatantly nor proudly, but it is done. One CSO admitted to walking into the boss’s office and stealing a file, then locking the computer down with a password-protected screen saver so that the boss couldn’t access his own system. The goal was to scare the boss into understanding the security risks he posed, and, to an extent, it worked.

In the long run, though, FUD does more damage than good. It creates a cry-wolf atmosphere and sets up a dysfunctional relationship between the security team and the other executives, who will grow to view the CSO suspiciously at best, and at worst, dismissively.

So, by all means, dissuade your CSO from FUD-ing you with the following few steps to restore some rationality to the relationship.

1 Force your CSO to stick to the facts by having him condense information into a set of essential bulleted items. It’s a FUD-proof format that communicates the basics of a situation and empowers you to make clearheaded decisions based on the real facts and risks.

2 Forge a strong relationship with your security executive and make communicating about security a priority within the company. CSOs say that FUD often results when security leaders lack executive sponsorship and employee interest.

3 Create a relationship of mutual education. Encourage your CSO to explain security investments and their success or failure in a nonconfrontational manner. His experience can inform your expectations for security. In return, share your own perspective and experience to ensure that your CSO grasps the business ramifications of security projects.

4 “I worked at a place where you dropped the word hacker, and the pocketbooks opened up,” says Adam Hansen, head of security at law firm Sonnenschein. Capitulating under the onslaught of FUD, even once, is like feeding your basset scraps from the table. You’ve created a beggar for life. Keep all security discussions, no matter how dire the situation, focused on the bare facts, the business risks and the ROI.

5 Don’t be part of the problem. “In a tight economy, CSOs will be more likely to have success with the FUD approach,” says Pat Schuler, a Minneapolis-based management coach and consultant. “Senior management is often better able to envision dire results than positive benefits.” Business executives need to steel themselves to security problems and calmly evaluate their impact. Your composure will put the damper on any plans the security team might have to shake you up with a dose of FUD.

6 Develop an enthusiasm for numbers. CSOs who keep good metrics are less likely to resort to FUDinstead they can let the numbers do the talking. Make sure your CSO understands that he must walk into your office with reproducible information and validated data to support his point of view. This point is so important, in fact, that we’ve expounded on it in “Nothing to Fear” on Page 28.

-Daintry Duffy Stop the Spam SECURITY SOFTWARE

Spam is fast becoming a leading issue for many IT departments. Spam annoys employees, saps productivity, and can (in the case of pornographic spam) even contribute to a “hostile” work environment. What’s more, since spam is increasingly used by identity thieves, hackers and others as a way of spreading hostile software, spam can represent a serious security risk as well.

Spam has made such a huge impact on the corporate world that there are now literally dozens of different solutions to the problemsome free, some quite costly. The most effective systems implement a so-called white list of people who are allowed to send e-mail to your organization’s users. People who aren’t on the white list get sent a challenge with some test that they need to pass in order to prove they are human, and not some spam-sending robot. But while effective, these systems create massive headaches for mailing list operators, e-commerce sites and others that legitimately send out e-mail to large numbers of individuals.

Another approach to stopping spam is to use a program that analyzes each incoming e-mail message for the telltale signs of spam. Some of these systems use keyword analysis; others use complex statistical models. SpamAssassin, an open-source spam detection filter, employs more than 1,700 different tests.

Still a third approach is to use the electronic blacklists of “known spammers.” While reasonably effective, these systems effectively give a third party control over which e-mail message you will accept and which you’ll reject. That can cause serious problems when you want to receive a mail message from an ISP that’s been labeled as harboring spammers by the organization maintaining the blacklist.

Like antivirus programs, spam filters can be run on your mail server or at the client. In fact, antivirus and antispam applications are so similar from a technological point of view that most antivirus systems will probably incorporate antispam capabilities within the next six to 12 months.

-Simson Garfinkel Paul Revere, Security Consultant Communicating Threats Alerting employees to potential security situations can be a tricky business. When management warns too often and threats don’t materialize, security can become an object of employee ridicule. If warnings are poorly communicated and employees aren’t given concrete action items, they may suspect that the company is not doing all it could to protect them.

In a recent treatise on the psychology of terrorist alarms, Philip G. Zimbardo, a professor of psychology at Stanford University, outlines what he calls the “Paul Revere paradigm for successful dissemination of public alarms.” He bases his paradigm on the theory that Revere’s famous midnight ride to alert the colonials of the British approach was successful for four reasons: Revere was known to be a credible communicator, his alarm was focused on a specific event, it was designed to spur citizens to act, and it called for a concrete set of actions in response. Zimbardo adds that contemporary psychological research has supported this paradigm by finding that such alarms should arouse only a moderate level of motivation. “Too low doesn’t energize action, and too high creates emotional overload and competing, distracting behaviors,” he says.

If you compare Zimbardo’s paradigm with the general public’s reaction to escalations in the national color-coded threat level, it’s clear why so much confusion has been generated. Zimbardo notes that after an alarm has been issued, it’s essential to debrief people so that any misinformation can be corrected and to reinforce in people the value of the efforts they’ve made. That is particularly important when a threat doesn’t materialize. “Some reputable authority must provide an explanation of why, and then also lower or remove the threat alert,” he says.

-Daintry Duffy Psy-curity 101 A successful security program is one that takes into account the softer side of things

Rest easy now. Your CSO has installed closed-circuit cameras in the workplace and metal detectors in the office lobby. The intrusion-detection system is operational. Everyone and everything is safe and secure. So why are your employees grumbling about corporate mistrust and their elevated level of stress?

The answer lies in the psychology of security. When setting up a security program, an organization’s executives must first consider what goes on in the minds of its employees. After all, 80 percent of security is psychology-driven, says Rich Maurer, associate managing director of the security services group for Kroll.

Even when the warnings seem reasonable enough, rationality often flies out the windowsecurity in all its visual manifestations reminds us just how vulnerable we really are. “What to a CSO is an impersonal protective measure, to most employees represents an emotional message,” says Ken Siegel, a management psychologist and president of the Impact Group. “There’s no such thing as an antiseptic intervention.”

To understand how employees feel about security, one must recognize that their enthusiasm for such measures will wax and wane drastically over time. During periods of increased threat, the natural human reaction is to say, “I’ll do anything you want; just keep me safe.” But people can’t sustain that anxiety level indefinitely. As the threat diminishes or people become accustomed to the new level of risk, they start to question whether security really makes a difference, says Dr. Robin Dea, chair of the chiefs of psychiatry at Kaiser Permanente.

The challenge for an organization is to achieve a balance between visible and invisible security. On one hand, security must be obvious in order to deter the criminal element, but sometimes such visibility makes employees only more fearful and uneasy. “There’s always got to be a balance,” says Phil Banks, a former Canadian Mountie and current head of Deloitte & Touche’s security management group. “Some see the need to present an ID card as a measure of safety; others see it as just another manifestation of Big Brother.”

-D.D. The CSO Guild A guide to who’s who in the world of security organizations

Well-connected security executives are good to have. Fortunately, they have access to a network of organizations in which to share best practices, learn about the latest threats and vulnerability reports, and swap tricks of the trade with their colleagues. Since each organization serves a different purpose, your CSO is likely to belong to several. And that’s a good thing. A networked CSO is more effective at protecting your company than an isolated CSO would be. Here’s the lowdown on some of the most well-known security organizations.

International Security Management Association (ISMA) More than 300 security executives from Fortune 500 companies with assets or annual sales of more than $500 million. An international security forum from every security discipline under the sun that shares information and best practices. This is where CSOs go to get the inside scoop on corporate safety in high-risk countries.



American Society for Industrial Security (ASIS) Membership: Its 33,000 members hail from all levels of security practice and meet frequently for chapter meetings and conventions. Established in 1955, ASIS is dedicated to increasing the effectiveness and productivity of security practices by gathering and disseminating knowledge through educational programs and materials that address all types of security concerns.


Information Sharing and Analysis Centers (ISACs) Members are divided into specific industry sectors. Members must sign a nondisclosure agreement as part of the application process. The ISAC movement is all about securing economic sectors considered part of the country’s critical infrastructure, such as financial services, electric power, oil, gas, telecommunications and transportation.



InfraGard Membership is available on case-by-case basis in regular and secure classifications. Regular members are approved locally; secure members must be approved by the FBI and are required to sign an agreement with the FBI to share sensitive information. To promote information-sharing between the FBI and businesses, academic institutions, and state and local law enforcement agencies.



Electronic Crimes Task Forces Members come from federal, state and local law enforcement agencies, private companies, and universities. Chapters include Boston, Los Angeles, New York City, San Francisco and Washington, D.C. To increase the resources, skills and vision by which law enforcement agencies team with prosecutors, private industry and academia to protect corporations and consumers from electronic crime.



Information Systems Security Association (ISSA) Any level of infosecurity professional is invited to join this, the largest nonprofit information technology security organization that cuts across all industry sectors. To promote management practices that ensure the confidentiality, integrity and availability of information resources. Advocate for the security function within companies.



-S.K. Stereotypes? Fuhgeddaboutit. THE CSO ROLE

Toss aside your stereotypes and get to know what your CSO really brings to the table.

“There’s this notion that security is about this cop mentality, and it makes the hair stand up on the back of my neck,” says George Campbell, president of the International Security Management Association (ISMA) and former CSO of Fidelity Investments. “We’re rejected out of hand as being too ignorant to appreciate business challenges. I bristle at that.”

“And we’re looked at as the techies who somehow managed to wriggle into management,” sighs Bill Spernow, CISO of the Georgia Student Finance Commission.

Neither statement could be further from the truth. Most CSOs are articulate, well-educated and extremely knowledgeable about business matters. Many have taken business leadership courses, and some have MBAs. In fact, Bob Littlejohn, vice president of global security for Avon Products, has designed the curriculum for ISMA’s Leadership Program, an executive development and leadership seminar for potential CSOs. The year-long program, held at Georgetown University, focuses on business skills such as strategic planning in domestic and international business environments, analysis and decision making, negotiation, persuasive communication, and team building. Hardly the stuff of thick-necked cops.

If the world came crashing down around you, these are the people you’d want nearby. Littlejohn, in addition to possessing a calm, measured hand in times of turmoilsuch as guiding Avon employees through the chaos of the Sept. 11 attacksinstructs employees in more than 120 countries on how to avoid getting kidnapped or carjacked.

CSOs are trained to protect you and your company’s assets, data and employees, and they aim to fit their policies into the overall business strategy. Dave Kent, vice president and CSO of biotech giant Genzyme, is partnering with President and CEO Henri Termeer to secure the company’s new all-glass headquarters. Kent, who is working to prevent the loss of intellectual property by way of people peering through the windows, has “scrubbed” the blueprints he’s filed with local agencies to keep people from knowing where labs and offices will be located in the new building. He’s even saved Genzyme huge amounts of money by streamlining access control systems (going from 13 systems to one).

CSOs simply want their boardroom peers to help them connect effectively with the business. “How many times has a CEO said, ‘If I had only known…’?” asks Lynn Mattice, director of corporate security for Boston Scientific’s global operations. “That’s where our real value lies. We are a major source of need-to-know information.”

-Simone Kaplan