RFG believes the Chief Security Officer (CSO) role encompasses a set of responsibilities that must be addressed in an enterprise regardless of whether a single individual is responsible for them. However, staffing such a position can be an important strategic move for an enterprise, boosting customer and partner confidence and helping bridge the gap between business process demands and security requirements. IT executives should first determine whether they and their own departments could adequately address these responsibilities. If not, IT executives should champion the cause of staffing such a position.
— A CSO is primarily responsible for all aspects of security throughout the enterprise. Although these usually involve electronic security needs, they also often include non-electronic factors such as physical site access as well as policies and procedures for secure daily operations. IT executives should champion the cause of creating such a position in an effort to better meet the strategic security needs of the enterprise.
— Regardless of whether a single individual fills a CSO's role, the responsibilities that fall under that title must be addressed in an enterprise at the executive level. IT executives should examine their own daily responsibilities, as well as those of other executives such as the CTO, to determine whether they have the time and energy to dedicate to these tasks. If not, IT executives should consider pushing for a separate executive-level role to address security issues.
— The employment of a CSO can send an important message to customers and business partners – that the enterprise cares deeply about security. This is especially important if the enterprise is large and diverse, is in a particularly security-sensitive industry such as financial, government, medical, or pharmaceutical, or has recently been the victim of publicly visible security failures. IT executives should include these needs in their decisions about whether it is necessary to staff such a position.
As security threats continue to become more covert and intricate, and continue to dominate the public eye, a strategic enterprise focus on security has become an absolute necessity. However, complete security is possible only through complete disconnection from the outside world both physically and electronically, and no business could be conducted in such an environment.
The security balancing act has often fallen to IT executives and their departments, leaving them struggling to meet the application access and delivery demands of lines of business (LOBs). In addition, they are also accountable for security breaches resulting from changes made to meet those demands, including user environments. Further, many companies are only now starting to grapple with the breadth of issues, such as employee fraud and information theft, teleworker network security, and so forth.
Addressing security risks requires coverage in several different areas, including the development of policies and procedures, implementation of protective measures, and auditing of those policies, procedures, and protective measures. IT departments commonly provide this coverage internally or via outsourcing arrangements with security providers and auditing firms. However, this often leads to a spaghetti pile of security needs and methods used to address them, which can create intractable problems for IT executives seeking to meet future LOB demands without compromising security and administrative complexity and cost.
To address these issues, many companies are turning to a new executive-level role – the CSO. A CSO is typically tasked with the following responsibilities:
— Act as the company representative with respect to inquiries from customers, partners, and the general public regarding the enterprise's security strategy.
— Act as a company representative when dealing with law enforcement agencies while pursuing the sources of network attacks and information theft by employees.
— Bridge the gap between LOBs and the IT department to balance security needs with the enterprise's strategic business plan, identify risk factors, and determine solutions to both.
— Develop security policies and procedures that provide adequate business application protection without interfering with core business requirements.
— Plan and test responses to security breaches, including the possibility for discussion of the event with customers, partners, or the general public.
— Oversee the selection, testing, deployment, and maintenance of security hardware and software products as well as outsourced arrangements.
— Oversee a staff of employees responsible for enterprise security, ranging from network technicians managing firewall devices to security guards.
— The most important traits for a CSO are excellent interpersonal and written communications skills, solid knowledge of electronic and site security issues, as well as the company's business requirements. More importantly, the individual must possess the leadership abilities to bring IT department and LOB executives to the table, strike a balance between business and security requirements, and persuade all parties involved to pursue a balanced course of action.
Some companies employ a CSO solely to focus on electronic security threats, which often happens because of the attention paid to problems in this area by customers and the media. However, this move sells the position short; theft of confidential information can occur through public networks, through deliberate employee theft, or through outsiders breaking into a physical site and tapping into the corporate network.
The proper role of a CSO should address all aspects of security, offloading some of the functions of the IT department in this area. More importantly, the individual must be furnished with the budget, power, and staffing to make necessary changes to protect the interests of the enterprise. Lacking any of these factors, the position would become impotent with respect to effecting change in the company's strategic security plans.
IT executives should examine the security needs of the enterprise when determining whether a CSO is required. In many cases, company size or budgetary constraints would prevent the addition of a CSO – obviously, a company whose IT department is made up of 6 individuals including the CIO might be hard-pressed to justify an additional, executive-level position solely to focus on security. In such cases, the individual or individuals who fulfill the security responsibilities will likely report to the IT executive. If a CSO position can be staffed, it should be as a peer of equivalent level to the CIO, giving the individual sufficient power to make crucial security decisions.
To prepare for discussions on the topic with other executives, IT executives should identify the following factors:
— The complexity and diversity of the enterprise (including geographic factors).
— The need for a public figurehead to own the security responsibility.
— The size of the enterprise.
— The size of the IT department.
— Security threats currently facing the company.
— Expected future threats due to plans to increase teleworker head counts, share more information with partners, etc.
— The value of the information on a business application basis.
In cases where an additional employee is not justified, IT executives should ensure that the CSO's responsibilities are filled within their own departments. The exception to this is physical site security, because where a CSO is not employed this responsibility is not usually owned by the IT department. A single individual, such as a mid- or upper-level director or manager, may still own these responsibilities, or they may be split based on type of work, such as audit, policy development, and product specification. Regardless of the size of the IT department, these tasks must still be addressed.
Where it is possible to employ a CSO, IT executives should champion the cause. This role can reduce some of the demand from the IT department and reduce the number of questions that can cause headaches for the IT executives themselves, such as how to prevent employees from stealing confidential business information. More importantly, if properly executed, the position of CSO can act as an important bridge between the IT department and LOBs seeking to change or enhance how they conduct business. The CSO should be able to head off attempts to open the network or systems to external access where this would increase security threats, despite LOB demands that this be done.
The CSO can also send a message to customers and business partners. By filling this position, the company can establish the level of its concern about security and ease concerns over how confidential and sensitive information is protected. This can be crucial for companies that are especially large or diverse, because security is such a complex aspect in those organisations that few customers can be convinced these days that the IT department alone is capable of providing for the enterprise's strategic security needs.
Finally, the placement of a CSO can send a message to the general public at a time when it is especially focused on security issues. If the company has recently been attacked or had confidential information disclosed by a disgruntled employee, this could be a very visible method of reassuring the public that the issues are of concern and are being addressed. For all these reasons, IT departments should champion the cause of filling the position of a CSO at their companies.
RFG believes a CSO is a necessary role in the enterprise regardless of whether it is filled by an executive-level individual. IT executives should examine their departments to determine whether existing staff is adequately meeting these responsibilities. If not, IT executives should champion the cause of employing such an individual, and assist other executive-level employees in understanding the value and importance of the position to the enterprise. IT executives should work closely with LOB executives and other peers to ensure the establishment of such a position is a team effort.
Chad Robinson is a Senior Research Analyst at the Robert Frances Group