Most US corporate security officers share a common strategic role. But operationally, the duties of those filling such positions — whether the title is chief security officer (CSO), chief information security officer (CISO) or something else — are as diverse as the IT industry itself, according to a panel of security executives.
Gathering here in Myrtle Beach, South Carolina, at the fifth annual International Techno-Security Conference, the panel painted a picture of a set of corporate positions that are still in their embryonic stages despite their high profile. Although the strategic role of enhancing brand value and supporting business decisions provided common ground for the panelists, they found little in common otherwise.
Jeff Reich is director of information security at Interland, an Atlanta-based Web hosting company, as well as the former architect of security programs at Dell Computer and online payment vendor Checkfree. His role has differed at each company, he said.
"When I was at Dell, we really focused on protecting intellectual property," said Reich. "When I was at CheckFree, our main focus was on privacy and protecting the integrity of the transactions. And now at Interland, my focus is to provide all of those things to our customers."
Mary Ann Davidson, CSO at Oracle, said her role is still in flux. "I will be moving in the reporting structure to the chief technical officer/chief corporate architect, which is a development organisation one level below (CEO) Larry Ellison," Davidson said. "That will actually give me more authority."
At Oracle, that means being able to stop a product from shipping if it fails to meet certain security standards.
Ron Baklarz, CISO at the American Red Cross, said he spends a lot of time supporting the organisation's physical security and legal departments.
"We have a lot of issues internally," Baklarz said, referring to insider abuse and potential fraud cases that require investigation. And it is in that area that Baklarz's role as CISO differs greatly from many others. Baklarz has a background in forensics, and because of budget issues he takes it upon himself to conduct most of the preliminary internal investigations throughout the organisation's 1000 chapters.
But doing such work in-house can cause problems. "One of the things you need to be careful about is that if something bad happens, you're going to need separation of function that will be very difficult to obtain" if forensics is in-house, Davidson said. Companies need to be able to show that there was no conflict of interests in the investigation.
Avoiding potential conflicts in the corporate reporting structure is another area where the role of the CISO has yet to be ironed out completely. Baklarz, for example, said he has reservations about reporting to the CIO.
"I have mixed emotions about that," he said. "In building a new security program, it doesn't matter that much. But I can't sit here and say that I haven't had any situations where I felt there was a conflict of interest where (the CIO) had to make a decision that I felt was incorrect and he went off and followed the business (logic)."
Tim McKnight, chief information assurance officer at Northrup Grumman in Herndon, Viginia., said there's been a tendency in the current organisational model at some companies to allow technology to drive the decision of who reports to whom. "It would be very advantageous if you could report directly into the board of directors," McKnight said.
One way companies could avoid conflicts is to give the CISO a dotted line in the organisation chart to the audit committee, which would "give them the ability to have the last word" on security issues that are relevant to business decisions, said Joyce Brocaglia, CEO of Alta Associates, a Flemington, New Jersey-based executive search firm focusing on security professionals.
The role of the CISO comes down to being able to forge partnerships, said Brocaglia.
"The person that is best suited for the role of CISO is not necessarily the most technical person on board, but rather the person who understands risk, the person who can sell upward, the person who really has the soft skills, who's gone to charm school and can communicate a broad enterprisewide perspective about security," she said. "That's what corporations are starting to ask for."