• United States



Leaders by Example

Jun 01, 20055 mins
CSO and CISOIT Leadership

Every security job is different, but the goal is the same: Create business value. In the following pages, five leaders show how they build teams, forge consensus and measure performance to make security far more than a cost center.

Which of the following best describes a security leader?

A. Someone who views himself as a facilitator among disparate groups.

B. Someone whose strategy is guided by a self-developed formula that analyzes demands on security resources and assesses all relevant risks.

C. Someone who’s built a “virtual security organization” with 50 to 60 line-of-business executives around the world.

D. Someone who acts as a bridge builder between security and public safety departments, and security and the boardroom.

E. Someone who believes service in a variety of professional security organizations not only helps the profession but makes him a better security executive.

F. Uh, all of them?

If you answered F, CSO readers, you’re right on the money. As we’ve been noting since the launch of this magazine three years ago, it’s becoming harder and harder to offer a one-size-fits-all description of a chief security officer. Why? Because security leaders come in a Baskin-Robbins-like array of flavors, with a huge variety of mix-ins that add different textures and nuances to the final product. They may have responsibility for any number of areas, including corporate security, infosecurity, background checks, disaster recovery, executive protection, fraud prevention, ethics and privacy—you get the picture. The old “geeks and guards” stereotypes may have had more than a faint ring of truth five or 10 years ago, but those days are over.

Each of the answers in our quiz above happens to describe the background of one of the five security leaders we’re profiling in our third annual issue examining the evolution of the CSO role: Graham Kee, director of security, Port of Vancouver (A); Lou Magnotti, CISO, U.S. House of Representatives (B); Lisa Johnson, CISO, Nike (C); Mark Barnes, director of safety and security, Kiawah Island Golf Resort (D); and Regis Becker, global director, security and compliance, PPG Industries (E).

These individual profiles represent a departure from our previous CSO role issues, which included stories on topics such as succession planning, security education and how to get hired. This year, we’re looking at the role of CSOs from the perspective of five practitioners (three corporate security, two information security) in a variety of industries: shipping, government, apparel, hospitality, and glass, chemical and industrial coatings. These CSOs talk about why they chose the career paths they did and what security—and business—challenges they face in their organizations. Just as no two security leaders are the same, every security job is unique; looking at the profession through five different lenses helps to illuminate the big picture. Our goal is for each reader to be able to glean some insights that will help in present and future positions.

Setting the stage for this special report are the results of our third annual exclusive “State of the CSO” survey of 313 security leaders. Highlights from this research appear in the charts on Pages 24 through 26. Overall, there’s some evidence that the influence of security execs in their organizations is on the upswing. For example, the number of respondents with senior-level titles—CSO, CISO and vice president of security, to name a few—increased from 2004. Another supportive statistic: 59 percent said that senior management views the security leader’s role as a strategic and permanent position, compared with just 17 percent a year earlier. And 48 percent said that security is viewed as essential to business as opposed to an overhead cost, up from 25 percent in 2004. Perhaps this new, improved senior management view of security reached a tipping point in the past year.

In terms of backgrounds, our respondents generally have a bigger bag of credentials than in 2004, including more CISSPs and CPPs. One statistic that sticks out: Almost one-fifth of those surveyed have their MBAs. The growing prevalence of that degree dovetails nicely with our profilees, three of whom—Barnes, Becker and Johnson—are business school grads. Becker, in fact, believes that it’s the most valuable graduate degree a security exec can have. “For the most part, the security function is a business function,” he says.

All of our profilees expressed how important communication and relationship-building skills are to succeeding in their jobs. Kee’s security program at the Port of Vancouver depends on his building a coalition of diverse groups, ranging from law enforcement to union bosses to government regulators. Barnes has convinced other business execs at Kiawah Island Golf Resort that by working with his department, they can retain their profits—by reducing shrinkage, for example.

Our survey respondents apparently don’t need convincing. When asked for the primary reasons security leaders get fired, 70 percent of them cited an inability to communicate with executive management. If you’re having trouble getting the security message out, it might be time to brush up on your Dale Carnegie.

We were struck by how much passion our profilees have for their jobs. Magnotti, for example, finds inspiration in the security formulas and theories that he applies to protect the networks of the House of Representatives. Johnson recently organized a forum of security managers in the Pacific Northwest to talk about their challenges and share best practices.

All in all, our survey shows that security execs had a pretty good year. They’re having greater success selling the value of security, and management—a smart shopper, to be sure—is buying. But in the Darwinian microeconomy operating inside companies, the strong survive, and the weak are chewed up or labeled irrelevant. A CSO’s sales pitch never ends.