CSOs: Three and Out?

I’ve had this cynical idea floating in the back of my brain for a while: The optimum tenure of a CSO might only be three years.

The reasoning, based on a lot of discussions with CSOs, looked something like this: Year one, you’ve probably been invited to clean up someone’s mess. Year two, your new policies are getting traction, your budget is approved, your new systems are getting implemented. Year three, your benchmarks are showing the results of your labors. Awareness is up. Incidents are down.

But something else is happening in year three. Namely, some other leadership positions in the company have changed and new management doesn’t agree with your priorities. Meanwhile, the people who’ve stayed are getting tired of your voice and some (or all) of the controls you’ve put in place. The mess you cleaned up has been more or less forgotten. (Which reminds me of the the story Locked Out from a few years back.)

At that point, you might choose to throw up your hands and “become a consultant” for a while, as so many security leaders do. The consulting lifestyle (in the instances where it isn’t a euphemism for “looking for another full-time job”) definitely has its downsides, but at minimum it ensures that the folks you’re talking to are mostly not tired of your voice.

As I said, it’s a cynical thought. Happily, when I look at the results of our “State of the CSO 2008” survey, I see reason for hope. Respondents say the importance of risk management continues to rise in the corporate world (even if regulations remain a primary driver). Senior managers (though not the average employee so much) demonstrate more and more of a grasp on their own security-related responsibilities. Security job tenures are even up.

Why is that? I think it’s because you’re doing a better and better job of speaking in the language that resonates with your fellow businesspeople. We’ve been conducting this research since 2003, and the percentage of survey respondents who have MBAs continues to rise slowly but steadily. That’s just one data point, and the MBA isn’t a cure-all for security. Nevertheless, I think it’s a telling sign.

So now what? I think the business savvy that CSOs are showing has to be pushed aggressively to the rest of the security staff. Stronger security personnel yields stronger security. To that end, we’ve focused the articles in our June print issue on personal development areas that you can use to refresh your own memory and disseminate to your staff. We’ll roll these articles out online over the week of June 16th.

Frankly, if you’re in a leadership position and you’re just encountering these concepts for the first time, you’re quite late. We’ve been writing about financial measures and communication skills for about six years now. (See, for example, Let’s Talk from our first issue in September 2002, and Calculated Risk from December of that year.

But better late than never. The more business-minded security becomes, the less I think we’ll see of the three-and-out phenomenon.