In a speech last fall, US Senator Robert Bennett (R – Utah) urged security and business professionals to think of data with the same reverence as one thinks of money. He said we have to be as mature about security as accountants are about money. Just as accountants achieve efficiency and effectiveness under the guidance and coordination of a chief financial officer (CFO), security teams will reach their optimal levels under a chief security officer.
Corporate security is more than so many technologies. It involves physical, psychological and legal aspects, such as training, encouraging, enforcing and prosecuting. It involves strategic planning, skilled negotiating and practical problem solving. Only an individual with strong business savvy and security knowledge can oversee security planning, implement policies and select measures appropriate to business requirements.
The role of chief security officer (CSO) has burst onto the corporate scene in North America and Europe in the last two years. Today, there are more than 200, but their respective job descriptions, reporting structures, qualifications and compensation are wildly diverse. Therefore, despite some clear indications that organisations are adopting the role of CSO more frequently, there is little agreement on the nature of the position.
Changing security architectures and the increasing priority of security measures is spurring the emergence of CSOs. Most organisations struggling with e-business pressures recognise that an elevated security posture is appropriate. What doesn’t seem to be appropriate, however, is to leave strategic business risk decisions in the hands of IT administrators. IT staff are not in a position to evaluate business risk. Technical risk is a different matter. Business risk is the task of business managers and executives advised by their auditors and their CSO.
The title “chief officer” should not be used lightly. “Officer” assumes liability. A few corporations in North America have included the CSO as an actual appointed officer in the corporation bylaws. Therefore, we expect that companies will either discontinue the title, opting for something along the lines of director of risk management, or they will begin adding the CSO to the bylaws.
The newly assigned CSO (or equivalent) has the challenge of directing technology, policies, processes and people toward a common security posture. Mapping technical security measures to real and measured business needs, helping business managers assess what security needs really are and negotiating with service providers to deliver acceptable service levels are just some of the tasks of the head of security.
The first priority of a new CSO should be to ensure that security is an enterprisewide concern and an enterprisewide responsibility. The first task would be to evaluate the security policies and procedures in place, determine what works and what does not and then chart a course from there. Once the situation is understood, the CSO should communicate the necessary changes to the business community, demonstrating to stakeholders why the new policies are essential and contrasting the new metrics with the old.
Consider Combining IT and Physical Security
Shortly after September 11, 2001, this scene played itself out in dozens of executive offices: The chief executive of a company called in the head of IT security and the head of corporate or physical security and asked for a report on security preparedness. The frequent result was that the two security managers had never met nor spoken, and certainly had not developed a coherent and comprehensive internal security strategy.
The business executives relaying these stories felt that it was strange that two departments, each with the same mission statement — to manage and reduce business risks — were not coordinating their efforts, notwithstanding the remarkable idea that there were two security departments in the first place. The reason for having two is historically understandable: physical security technologies require a different expertise than IT security technologies. But business executives tend to look at risk management as a business process. So the business process of security was clearly not efficient and likely not effective while segregated.
In the past, business managers have blissfully relegated technical risk management to specialised IT and corporate security teams. Corporate security personnel have focused on employee safety, crime prevention and physical risk management. Similarly, IT security staff have had their own interests, such as logical perimeter defences (firewalls, etc.), password management, hacker prevention and Web site security. But after Sept. 11, it seems common to hear security referred to in terms of business value and business process. For example, disaster preparedness, competitive espionage and cyber-terrorism each impact the entire company, its shareholders, its employees and both sides of the security program.
The CSO responsible for directing the activities of the corporate security and data security functions will oversee a variety of synergistic tasks:
—Develop, implement and manage the overall enterprise processes for technical and physical risk management and associated architecture.
—Develop and implement policies, standards and guidelines related to personnel, facilities and data security, disaster recovery and business continuity.
—Oversee the continuous monitoring and protection of facilities, personnel and data processing resources. Evaluate suspected security breaches and recommend corrective actions. Negotiate and manage service-level agreements (SLAs) with outside suppliers of protective services or data hosting.
—Serve as the enterprise focal point for computer security incident response planning, execution and awareness.
—Define, identify and classify critical information assets, assess threats and vulnerabilities regarding those assets and implement safeguard recommendations.
—Define, identify and classify critical facilities (such as office towers and data centres), assess threats and vulnerabilities regarding those assets and implement safeguard recommendations.
—Assist internal audit department in the development of appropriate criteria needed to assess the compliance of security standards by new and existing personnel, applications, IT infrastructure and physical facilities.
—Establish and monitor formal certification programs regarding enterprise security standards relating to the planned acquisition and/or procurement of new applications, technologies or facilities.
—Assist in the review of new facilities, applications and/or technology environments during the development or acquisitions process to (1) ensure compliance with corporate security policies and directions and (2) assist in the overall integration process.
—Oversee the development and be the enterprise champion of a corporate security awareness training program.
—Manage personnel associated with security functions.
—Combining organisations with similar missions leverages economies of scale.
However, the political reality is that there are winners and losers in almost every reorganisation, which makes the process difficult to execute. The result can be a series of compromised “dotted-line” relationships.
The CSO will either report to the CIO, as is common in midsize to large organisations where the emphasis is on technical measures mitigating technical threats, or to the CFO or other business executives in very large corporations or where there is low tolerance for business risks and where security is a combined IT and corporate function.
The CSO may additionally serve on the executive council, or equivalent, and the CIO’s architectural strategy council, or equivalent. The CSO will be the direct or dotted-line manager of all corporate and IT security personnel.
Interestingly, there seems to be no clear trend about when a company would head security above the CIO, reporting to the CIO, or several levels below the CIO. Mostly, it appears to have to do with corporate culture. Some individuals have the title of IT security director but the job responsibilities of a lower-level manager. Some report to levels below the CIO, others directly to the CIO.
Historically, companies understand why autonomy is important for auditors but are slow to realise the same logic applies to the CSO. For the same reasons — mainly, to avoid conflict of interest — CSOs should not be under the supervision of those under their scope of evaluation. Just because their venue is primarily computers does not mean they should report to the CIO.
One company’s CSO candidate used the job interview to successfully convince the CIO that the CSO should no longer report to Information Technology. The candidate outlined many conflicts of interest experienced with the prior employer that reduced the effectiveness of the security organisation. The CSO/CIO relationship impeded production implementation of new applications when security requirements were not met. The relationship also caused security funding to be vulnerable to budget reductions, for example, to offset development projects that were over budget. Finally, the influence of the CIO had made it difficult for the CSO to avoid bending security policies to accommodate business customers. The candidate convinced the CIO there was sufficient cause to avoid even the perception of conflict of interest and the decision was then made to have the CSO report to the chief operating officer (COO).
Physical security skills combined with familiarity with IT language and issues constitute the optimal, though extremely rare, background for the CSO. The more common qualifications will include an IT security background, experience in business management and professional expertise in physical security and law. Specifically, the
CSO should have the following qualifications:
—A college degree (BA/BS) or equivalent work experience
—Excellent communication skills, writing and public speaking
—Ability to interface with top management as well as the diverse cultures of corporate and IT security
—Strong working knowledge of security principles (such as authentication, auditing, crime scene preservation, risk management) and elements (locking systems, evacuation methods, perimeter controls, firewalls)
—Eight to 10 years of experience demonstrating exposure to and some level of expertise in physical and IT security. Also, at least five years’ experience in a security-related thought leadership or management capacity
Other desired qualities include:
—Consensus builder, while still results oriented and commitment focused
—Internet-based security experience
—Business-based attitude, ie. the recognition that no policies can be implemented without demonstrable business benefit
—Customer service experience
—Awareness of and strong experience in vulnerability testing in addition to penetration testing
—Developing security practices as a people problem vs. a technical problem
—Knowledge of standards-based architectures, with an understanding of how to get there, including compliance monitoring and enforceability
—Certifications such as Certified Protection Professional (CPP), Certified Information Systems Auditor (CISA) or Certification for the Information Systems Security Professional (CISSP)
Giga research shows a wide range in the compensation packages of managers with the title of CSO. However, of those that meet the job description, qualifications and reporting relationships described above (i.e., senior business managers reporting outside of IT), the range is much narrower. For example, one major media company on the East Coast is paying its CSO $US225,000 base salary, plus up to 40 per cent annual bonuses for meeting objectives. A manufacturing firm in the Midwest is paying $US185,000 plus 25 per cent in bonuses. Each of these positions reports to the CEO. Both of these companies opted not to have senior managers running the IT security and corporate security respectively. Therefore, the CSO is effectively the line manager for both operations. Midlevel managers maintain the day-to-day operations of the respective security groups. We have heard of, but not substantiated, a claim of one compensation package totalling $US700,000 and another in seven-figures as total compensation in New York City.
But let’s consider the alternative view. It is appropriate to segregate the roles of corporate and IT security when the risks the two departments manage do not originate from the same sources. For example, midsize retail companies may not find it useful to combine their corporate security team, which mainly focuses on loss prevention, with an IT shop that primarily processes transactions. In that case, competitive espionage is almost entirely under the purview of corporate security. Very large retail corporations may suffer exposure to espionage within their floor management as well as through the compromise of marketing strategies, product plans, etc.
Many CIOs view themselves, quite rightly, as the liaison between IT and the business sides of the house. As a result they see no need for an additional security officer. IT security is simply one of the subordinate management tasks in the CIO’s organisation. In those cases, many of the same job functions will apply, but may fall in a number of reporting structures within the CIO’s hierarchy and outside.
Security is evolving into a critical shared service within most organisations, which means the head of security is also evolving into a critical leadership role. The new security leader has responsibilities not merely to IT, but to improving operational efficiency of the business and implementing cost-effective risk management measures. Those bottom-line improvements come most easily when companies treat security as a business process, assigning a single individual to coordinate the various risk management processes of that organisation.
Steve Hunt is the VP of Security at the Giga Information Group