CURRENTLY, I'M THE VP of security at a global corporation, a title I've worked hard to get and one of which I'm proud. But all the talk about CSOs has made me think about my role here, how our department's profile has changed in the past few years, and how such a title might convey top management's commitment to what we're trying to accomplish. Frankly, I wouldn't view it as a promotion, and this is not about more compensation. I think a title change to CSO represents a logical next step in the evolution of corporate security within this company.
So I've undergone a sort of self-assessment in order to have some talking points when I confront my boss. I've considered my place both within my organisation and among my peers. I know from talking to colleagues that budgets have tightened and the number of CSO titles have not appreciably increased in the past year or so. Which means I'm probably fighting an uphill battle. But I think it's worth teeing up to gauge where management sees our mission going.
My information security counterpart in our organisation is in a separate department. We're both vice presidents and work very closely for obvious reasons. He has successfully captured the CISO title and enjoys more seniority and influence within the corporate structure than the traditional CSO. Chief risk officers and chief legal officers similarly seem to serve at a considerably higher level than do physical security executives. What is it that gives them this seeming legitimacy?
The notion of chief-whatever carries weight in business circles, yet the CISO mantle was passed virtually without a peep. My friends in HR told me that was, in part, because of our unyielding reliance on our technical environment. But I also know that the CIO talks with the CEO daily about risks to system integrity. He's the CISO's strongest advocate for very selfish reasons. I have good relationships with several board members, but I don't have that sort of advocate near the corner office.
In the midst of my introspection, I happened to receive "Corporate Security Management: Organization and Spending Since 9/11," a recent publication from The Conference Board, a respected research organisation that produces conferences, makes forecasts, assesses trends, and publishes information and analysis on the current business climate. I know a number of our senior executives are members, so this, I thought, might help my cause. With sponsorship from ASIS International, The Conference Board interviewed more than 330 security directors, risk managers and IT security officers. More than half came from companies with over $US1 billion in annual sales. The purpose was to ascertain general patterns of security management and to identify changes in business functions and spending since the terrorist attacks in September 2001.
The report shed light on the current CSO role within the organisation. But the analysis contained within it hardly provided me with the ammunition I needed to support my case for chiefdom.
Given my desire to acquire the CSO title, I had been somewhat heartened by a Deloitte Touche Tohmatsu "2003 Global Security Survey" that found that 63 per cent of respondents in the financial services industry currently have already established or plan to establish CSO or CISO positions in the next two years. I'm sure that financial services people care very deeply about information security, but I'm also sure that they are not alone in considering the critical infrastructure. Now, I thought, was the time to make a case for the evolving role of the senior security executive.
But I was chagrined to learn from The Conference Board report that, of the companies queried that do not already have the position, only 5 per cent said they are planning to create a CSO. In addition, the report goes on to show that most security executives serve below the vice presidential level and are paid less than $US150,000 per year. Only 24 per cent of the respondents held the position of CSO, although they didn't always use that exact title.
That jibes with my view that the CSO title, while sexy, is not as relevant as the actual responsibilities that go with the job. I'd wager that, if you laid a CSO job description beside that of a corporate security exec who owns a broad scope of services with second- or even third-tier reporting, you wouldn't see a dime's worth of difference. We're untitled CSOs. With the title, we gain opportunity for the greater access and ability to get things done.
The Conference Board survey suggests that strategic business management does not loom large in the career paths of security directors. In fact, barely one-fourth of respondents report diversified corporate management experience. Using the International Security Management Association as a sample, I see a small but growing number of large corporation security executives who have come to security by way of internal line-of-business tracks. But if these "outsiders" fail to understand the business aspect of their particular company, they're not around very long. Without such a foundation, how could anyone provide a risk-responsive security organisation? Ex-law enforcement, information technology or other specialist backgrounds have to earn their bones just like the rest of the line senior managers.
Less than a quarter of respondents reported to the CEO, COO or CFO, while almost the same percentage reported to the head of facilities. If you peel this one back, you'll likely find that those in the first group are in industries where reputational risks are in the forefront; in the latter group, theft, workplace violence and physical security are the primary concerns.
The report — and its companion report regarding salaries — goes on to compare titles, compensation and spending on security post-9/11. The Conference Board takes into consideration where one sits in the hierarchy (do you have a C-level title?), your compensation and to whom you report. It suggests that a routine reporting relationship to the CEO or COO is still relatively unusual — apparently only 15 per cent of the sample reported to either of those people.
I'm beginning to sound like a whining malcontent, but at every place I've ever worked, the CEO and COO were reasonably busy people who needed to limit their span of control. Did I have access when I needed it? Did they listen and act based on well-founded conclusions? And did they give me what I needed to get the job done within the agreed-upon scope of my responsibilities? You bet. Who cares to whom I reported?
In the midst of my angst, however, I have an epiphany! What if CSOs and CISOs could collaborate, plot and actually support one another! Oh. My. God. It kind of reminds me of that song in the musical Oklahoma. "The farmer and the cowman can be friends." (Sorry. I'm showing my age.)
Security has to be a core cross-business process led and staffed by specially qualified individuals not dissimilar to those in risk management, personnel management, legal, ethics and compliance, real estate, marketing, information technology, or finance. We are all in the internal services industry with a captive clientele who judge us one transaction at a time.
So I'll come right out and admit it: I'm not a CISO. I come from the less technical side of our business. You can take that to mean that my background is not within the more technical confines of IT security. You can be sure, however, that for the IT responsibilities that lie within my accountability, I have really, really competent professionals who work splendidly beside our IT people.
I'm trying to live with that limitation in a digital world. But I also have to live with the fact that some of the IT people make more money than my team — an issue of which I've been aware since we started doing background investigations on them. It's a fact of life, and those who yearn for the CSO title need to get over it. We need to reach out to our infosec brethren because, regardless of what is now in their portfolio of offerings, no security executive in the future can be ignorant of information risk management. These risks are simply too pervasive and important. Measurable protection cannot be found in unconnected silos. Right?
So here I am, reconsidering my centralisation and one-silo biases. I have to consider the obvious between-the-lines conclusion that security responsibilities in some companies are business-centric.
Is it possible that there is an accountability model at work in those companies that addresses risk better than a centralised model? Might a deeper look into the relationships among security responsibilities reveal that the culture rewards collaboration and an effective matrix approach to cross-company issues such as security? Is the notion of a CSO committee so out of the ballpark that our egos don't permit such title entitlement?
What we need to do as security professionals is establish a set of protocols that drive our collective operations to share ideas, integrate security strategies and plans, and engage in cross-discipline training. We need to become a team focused on the diversity of threats that confront us across the globe.
Perhaps we could find a forum that crosses the artificial line of technical and operational security, some way to bring a group of us together to develop the ideal relationship. The debate can only contribute to better security for our employers and shareholders.
I think I've discovered that all this is much less about why nobody at the top loves me enough to dub me Almighty CSO. It's about being more attuned to the breadth of risk to our company and how I can collaborate with my IT colleagues to make our safeguards more integrated and cost-effective. Maybe, just maybe, that sort of leadership and collaboration will earn me some advocacy, and chiefdom might be the reward.
Thanks Conference Board. I'll be interested to see where we go during the next several years.
This column is written anonymously by a real CSO at a major US corporation.