A knowledge of information security risk management is just one of the many skills that a chief security officer needs for crafting, influencing and directing an effective organizationwide protection strategy.
Increasingly, the job also calls for an understanding of issues as diverse as emergency preparedness, crisis management and response, physical security, disaster recoverability, and privacy and regulatory matters. That's the assessment of Alexandria, Va.-based ASIS International, a 33,000-member group of security professionals that this week released draft guidelines that companies can use when developing CSO positions.
"There's been a lot of discussion on the need for organizations to create a centralized governance function for many areas of risk," said Jerry Brennan, president of Vienna, Va.-based Security Management Resources Inc. and one of the drafters of the document.
Defining the Job
The guidelines are the result of an attempt to give a formal definition of the scope, responsibilities, reporting relationships and experience needed to do the job, he said.
"There wasn't much available that addressed the pulling together, from a governance perspective, of all of the areas of security risk that an organization faces," Brennan said. "So we decided to try and craft a document that would be broad-based and truly represent what the CSO position would be in an organization."
The ASIS guidelines come at a time when a growing number of security professionals say there needs to be a top-level management position to oversee all aspects of operational risk.
"I have always found it preposterous to suggest that there are separate disciplines that require separate management" when it comes to operational security, said Dennis Treece, director of corporate security at the Massachusetts Port Authority in Boston.
For example, installing a privacy officer who is separate from the rest of the security team only "fragments the effort and ensures that the physical and virtual aspects of privacy have to be laboriously coordinated," Treece said. The same is true when it comes to having separate chief information security officer and CSO functions. "Having been both separately and now both at the same time, I can state with confidence that combining them makes the most sense," he added.
Even so, security professionals agree that only a relatively small number of companies have created a formal CSO function because of the substantial political and organizational challenges that need to be overcome in creating the role. Issues such as scope, reporting relationships and ownership of risk management functions can all be sticking points.
Broadening the Scope
The popular notion of the CSO being in charge solely of IT and physical security functions has also somewhat limited the effectiveness of the role, said David W. Stacy, global IT security director at St. Jude Medical Inc., a $1.6 billion manufacturer of medical equipment in St. Paul, Minn.
"I prefer the concept of the chief risk officer that encompasses these two areas" while also including other functions such as privacy, risk insurance and regulatory compliance, Stacy said.
"So, moving to a CSO model that only deals with IT security and physical security may be a logical first step to eventually getting to a CRO model," he added. "But even having a CSO would be a revolution, as opposed to an evolution, in many organizations."
But some security professionals have trouble with the concept of having an all-encompassing role.
For one thing, "there is a huge difference between the practice of physical security management and information security management," said Eddie Schwartz, chief technology officer at Securevision LLC, a Fairfax, Va.-based consultancy. "While both disciplines have the use of technology as a common element, the background and education of the practitioners are distinct."
There's also the danger of rolling far too many functions under the CSO umbrella, Schwartz said. "It's an unnatural organization of activities and doomed to failure in most organizations," he said.
Relationship Management Key Skill for CSO Role
Relationship management skills are a top requirement for a successful chief security officer, according to ASIS International's recently released draft guidelines for the function.
Because of the wide scope of the job, CSOs must be able to "influence and nurture" relationships with business-unit leaders, government officials and professional organizations, according to the ASIS guidelines.
"Having good political, collaborative and marketing skills (is) critical for a CSO or chief risk officer," said David Stacy, a security director at St. Jude Medical.
Also crucial is subject-matter expertise. CSOs must either have the knowledge themselves or must ensure that adequate technical expertise is available to cost-effectively deliver security services, he said.
"Anyone with solid experience in one or more of the risk areas could do the job, as long as (he is) surrounded with experienced subject-matter experts and actually listens to them," Stacy said.
"The CSO has to be able to carry the water in the senior executive environment," said Dennis Treece, director of corporate security at the Massachusetts Port Authority. "This means communicating effectively with the CEO and the board. The CSO must know how to create and defend a budget in a constrained fiscal environment. He needs to have a resume that garners respect and must keep that respect by being a team player, not someone who is always crying that the sky is falling."