• United States



by Senior Editor

Evolution of the CSO

Jun 10, 200914 mins
CSO and CISOIT Leadership

From incident reaction to proactive risk assessment, the CSO role has evolved dramatically. Next stop: new services and business operations intelligence.

It’s been almost 15 years since David Kent first came to Genzyme, a biotech firm headquartered in Cambridge, Mass., that develops medical treatments for ailments such as certain genetic diseases and some forms of cancer. In 1994, the company had less than $200 million in sales, and only about 1,000 employees—a stark contrast to its worldwide workforce of 11,000 today and the $4.6 billion in revenue it reported in 2008.

Kent’s first experience with Genzyme was as a consultant. The company had lost some of its intellectual property through a theft, and Kent—then working for Bolt Beranek and Newman as a security manager—was called in to help evaluate the situation. His work with the firm grew into a job offer to be Genzyme’s director of security. The goal was to have someone aboard with an intense focus on the security position of the organization to prevent other thefts from occurring.

“At that time, I think there were about nine different card access systems. One person was handling their voice and data and their office services,” says Kent. “It was an organizational design reflective of a rapidly growing business. There was no thought put into security, it was a lower priority. It was sort of a barren landscape from my viewing.”

His first project was to look at the situation around laboratory and notebooks in order to ensure there would not be a repeat theft incident. After that, he moved on to assessing the physical security of the building and addressing the multiple card reader situation by implementing a single card solution. Kent and his team began pushing for security standards around the corporation, slowly picking away at information systems security challenges as well. It was a forge-ahead and forward-thinking philosophy for security that had not been seen before in the firm.

“Left to its own devices, we wouldn’t have the program we have today. We would have separate silos. There had to be someone in the organization to drive this stuff.”

As the company grew, more emphasis was placed on security. But it was the Bio International Exposition held in Boston in 2000 that gave Kent the perfect opportunity to show how his department could go beyond reactive protection to proactive security.

“It was the first major East-coast meeting following WTO [the World Trade Organization meeting] in Seattle. The members of the Genzyme senior management team were the chairs for the meeting in Boston. We were asked to coordinate security around the meeting. There were about 14,000 people expected in for this event, and demonstrators could shut down the show.”Kent says for several months he talked with area law enforcement agencies and other companies that might be targeted for demonstration and urged them to prepare. By the time the event arrived, Genzyme security officials had coordinated the work of 80-plus agencies and was holding regular meetings with multiple organizations. (See another case study on event security planning, in this profile of Boston’s 2004 Democratic National Convention.)

On the opening day of the expo, 3,200 demonstrators turned out in front of the hall. Their presence, according to Kent, was uneventful; exactly what he hoped for.

“Nothing happened,” he says.” So we got tremendous visibility for that. When bad things happen, you’ve got to have the ability to have a good response. Those are the things they remember.”

Soon after the event, Kent was elevated to vice president of security. The promotion, he says, marked the official beginning of the security group operating under a CSO model.

A Skill Set Beyond Security

Kent’s experience at Genzyme is familiar at organizations around the world that have decided to place a top security officer, a CSO or a CISO, to be the key point of responsibility for a company’s security. We’ve seen this position increase in numbers for more than a decade now. But as it has grown, so has the expectation of organizations who are hiring CSOs. As security programs become more robust and sophisticated, so, too, do the expectations of companies who have a top security officer in place. CSOs are now expected to expand their skill set: Those with technical backgrounds must understand facets of regulation, compliance, security and risk beyond the data center. CSOs from a physical security career, such as law enforcement or the military, must also have an understanding of information systems and the threats posed to their organization’s data assets beyond just the facilities they are housed in.

It is an evolution that was expected among industry analysts when the first CSO roles began appearing in corporations. Much like how the role of the CIO has changed, it was inevitable that CSOs would have the same experience.

“They, of course, share the same problem that CIOs have traditionally faced,” says Paul Saffo, a Stanford University professor, forecaster and essayist with a focus on long-term technological change and its impact on business. “CIOs have been the Rodney Dangerfields of management. ‘I don’t get any respect,’ because their work is so arcane. The other XOs never understood it, or even tried, until recently. CIOs are moving past this stage slowly, but I think the CSOs are still hitting this.”

However, while corporate perception of the CSO role is still unfolding, the job has some history to it, and recruiters and hiring managers are becoming savvier about what they want in a security executive, according to Tracy Lenzner, CEO of The Lenzner Group, an executive recruitment firm specializing in security.

“Clients are getting more sophisticated in what they are looking for and what they need,” says Lenzner. “Now we are in the second and third generation of these roles. Some companies are looking at these areas for the first time, but, by and large, companies are filling roles for people who had been there previously.”

From Techie to Business Executive

In the early days, information security professionals were viewed as two things, according to Steve Katz.

“Highly technical, and the people who consistently said ‘no’,” he says.

Katz, considered by many to be the first person to hold a chief information security officer position, began to debunk the notions around information security when he was recruited in 1995 by Citicorp (now Citigroup). The company hired Katz after a hacker broke into Citibank’ cash management system and siphoned $10 million into his own accounts. Much of the money was not recovered. The theft brought information security to the forefront for Citibank, and the company wanted someone to minimize the risk that such a breach would occur again. Katz’s CISO title was created by a board headed by former Citicorp CEO John Reed.

“His view was: Let’s bring a business perspective to information security,” says Katz. “[Reed] said, ‘Citicorp sells two things: money and trust.’ As security, we were there to help them deliver on the trust component.”

Katz says he spent much of his first year traveling to meet with Citi executives around the world. His mission was to put a face on security and figure out what needed to be done to protect the company. He asked executives, “Do you care about who you transact with? Who are your customers?”

“Technology wasn’t part if it,” says Katz. “It was simply, ‘Do you care about keeping information confidential and private.”

In turn, Katz began to introduce concepts such as identity, and company officials began “shaking their heads and saying ‘Yeah, that makes sense,'” says Katz.

Katz, who now runs his own consultancy, continues to meet with CSOs and CISOs and does some mentoring as well. When he is giving career advice, he urges up-and-coming security professionals to hone their understanding of business and risk if they want to be successful in today’s corporate climate.

“The role is becoming a technical- and business-risk effort much more than it is viewed as a security role. The requirement to work with business professionals is probably the greatest hurdle security professionals have to face. If you aren’t at home working with people at the executive level of a corporation, you will be relegated to a much smaller role in the company.”

The CSO of the Future

To project future developments in the CSO role, it’s again useful to look a bit deeper at the CIO position, arguably the most recent to make a transformation from corporate support player to a more elevated executive spot. (Though not the first; recall that CFOs, before they became strategists focused on shareholder value, were simply accountants.) The challenge for CSOs, says Saffo, is to find ways to demonstrate their effectiveness beyond their core protective mission. He believes going to the next step will require CSOs to do what CIOs have managed to do over the last decade. That is, move from a support/infrastructure role, to a central role in enhancing productivity and effectiveness around a company’s core mission.

That is the hope of Beth Cannon, CSO with Thomas Weisel Partners, an investment bank and broker-dealer based in San Francisco. Cannon has been with the company from its beginning in 1999, taking on the CSO role in 2004. Prior to her promotion, she was responsible for engineering and infrastructure that included the operations of the server and the network side of things.

“I had always had some level of security under me related to compliance and the network,” she says. “When regulations started increasing, the CIO said, ‘I think we need someone to focus on these things.’ That’s how my role was born in company.”

In five years, the role has clearly changed, says Cannon. The company began doing international business, and Cannon then had to learn about compliance rules in several other nations in addition to the United States. The company also went public in 2006.

“Initially the job was very operational and infosec-focused in the respect that we had to get our patching stuff up to date, our network activity logged,” she says. “We had to get several things in place in order to have a better handle on what was going on outside of the network.”

Now, according to Cannon, she feels that many of the protective measures she put in place at the start of her tenure have become operational. Things that had to be taken care of in the beginning are just business as usual now. That has given her a chance to put more time into finding ways for security not only to protect, but also to add value to the organization. A primary focus now is business continuity, she says. The recent swirl of concern around the swine flu pandemic helped bring the issue to the top of mind for executives.

“Now I’m trying to get out there and say, ‘This is more than just technology’. Let’s talk about what you are going to do with your personnel.”

Another focus now is data classification. Cannon says she hopes her efforts will give security a seat at the executive table as she demonstrates the value that the department brings to future compliance and regulation efforts in the firm. Slowly, she says, she is pushing past that perception that security is merely a cost center, demonstrating its importance to the future mission of the company.

Just as social networking sites and other Web 2.0 applications have combined existing platforms to create a new way for users to communicate with each other, CSOs will need to combine knowledge of several aspects of business in order to effectively assess risk and communicate with executive management, according to Eric Domage, an information security analyst with IDC who focuses primarily on Western Europe. Domage recently spoke at a risk management conference about his vision of the duties for CSO 2.0.

Personal and communication skills are crucial for CSO 2.0 (a need that’s been reflected in the “State of the CSO” survey results for years: Respondents in 2003 named communication as the most critical skill for success). While many security directors may have come into their roles with a primary focus on one security concentration with little focus or communication elsewhere in the organization, they will now be required to work with many others throughout.

Those who cannot, won’t have a future, according to Tim Williams, director of global security at Caterpillar, the world’s largest maker of construction and mining equipment, diesel and natural gas engines and industrial gas turbines. Williams likens the changing landscape to a game of musical chairs.

“The music has stopped and the people who are able to get the chairs today and in the future are the ones who really do have the business context and outlook.”

Williams, a professional with decades of experience in security roles with companies such as Proctor & Gamble, Boise Cascade and Nortel, sat on the board of ASIS International, which first put together an official definition of a CSO five years ago. Today, Williams defines the role as one of enterprise security risk management.

“The CSO who has put together a cohesive strategy for the industry and the culture in which they work are probably the ones surviving this economic downturn,” notes Williams. “They have the ability to explain what the security process is, link it to the business and show the value.”

Williams believes that CSOs and CISOs will need to be able to come to the table armed with knowledge around the risk to the enterprise they work in from a security standpoint and be able to put that in a business context that can foresee the economic impact and the frequency or likelihood of a risk event to occur. He also speaks passionately about the need for an effective security leader to work well as part of a team. He credits much of the success he has experienced so far at Caterpillar with the strong dynamic between members of his security department.

Williams concurs that the job of the new CSO is to be an executive with a security-functional expertise. But how the CSO engages and puts risk context into the business is an art and a science that each CSO will need to master to gain the respect Saffo referred to previously. It will take as thorough an understanding of a company’s product line and economic drivers, in addition to risks. And it will likely mean knowing how to make the case for investment with limited resources. Williams believes that the number of security executives who hold MBA degrees will continue to grow in the future.

“You have got to develop a cohesive, understandable, clear strategy for how you are spending the company’s money and what risks you are addressing as a result of that spend,” says Williams. “The pressure will now be on the ability to logically and cohesively defend and advocate for dollars. It is a critical skill set we better have, or we are in trouble.”

And for those who do have the necessary skills? A walk through the halls of Genzyme today might offer a glimpse. CSO toured the facility recently and had a chance to see Kent’s state-of-the-art program that approaches security with an “all-hazards” view of risk. It includes an impressive monitoring room where staff members assess potential real-time risks to the company, looking at data from all over the world.

Such an all-encompassing view isn’t confined to a basement operations center. Earlier this year, Genzyme combined security, risk management, competitive and technical intelligence under a single purview and changed Kent’s title to vice president of global risk and business resources. Vastly different from his early days with the company as a security professional brought in to react to a negative event, Kent now takes a seat at the table with other executives in the company to discuss security strategy and risk assessment.

He is optimistic that this group will prove not merely reactive, but will grow in its ability to provide business intelligence.

“We are leveraging obvious synergies between the groups,” says Kent. “The interesting work, though, will be discovering new connections and building the resulting services that we don’t know about today.”