The Job Within the Job
Today's CSO must be soldier, spy and business strategist
A successful chief security officer must oversee strategies to protect a company’s physical, human and virtual assets. The CSO also must find ways to provide tangible contributions to the company’s bottom line. Achieving those ends requires the CSO to be a leader, a communicator, an enforcer, an investigator and, above all, a visionary businessperson.
That’s how industry consultants, observers and associations define an ideal CSO. Unfortunately, it’s a likeness that many reallife security executives cannot equal—yet.
“There are many unsuccessful CSOs,” said Severin Sorensen, CPP, president and CEO of Sikyur.com. He also is the chair of the Physical Security Council of ASIS International.
The key reason for CSO failure, said Sorensen and others, is that too many security directors don’t understand the business language of return on investment or its many nuances.
Effective CSOs understand the business and regulatory drivers that affect their department and the impact of their department on the overall business, then provide a framework so the professionals working under them understand how their daily efforts contribute to the company’s business objectives,” said Benjamin Butchko, CEO of Butchko Security Solutions, a security engineering firm in Houston.
“If CSOs have no strategic vision, I’ve seen them struggle,” he said.
Speaking of Business
Such struggles come in part because senior management undervalues security, often labeling it as overhead. That’s true even in security-conscious industries, such as banking, retail and petrochemical, according to consultants.
“Corporations just don’t know enough about security and its impact,” said Bob Hayes, executive director of the Security Executive Council, an industry group dedicated to raising the profile of corporate security professionals. “Making certain senior management does understand the bottom-line impact of security is a crucial aspect of the CSO’s job.”
That makes communicating with executive management and the board in clear, definable cost-and-benefits language critical to a CSO’s success.
“The key for a CSO is to put together a business case to show the value of security in terms senior management can appreciate,” Butchko said. That means not discussing response time and camera placement, but a dollars-and-cents spreadsheet showing the potential cost of unmitigated risk versus the security investment required to address it.
CSOs also must be prepared to defend their numbers and payback periods.
“If you can’t get benefits in excess of cost within 36 months, unless it’s a critical system, it won’t get funded,” Sorensen said. Security directors must have defensible logic supporting their benefits analysis and be prepared to measure benefits after implementation, he said.
“A potential cost-benefit model for security organizations could be that used by corporate safety and environmental departments,” said Butchko, who worked as a senior security engineer in Exxon’s Global Security Department before launching his own firm.
Failure to comply with safety and environmental regulations leads to expensive fines, so the cost of safety and environmental protection measures can be compared to the cost of noncompliance. Similarly, Butchko suggests CSOs should predict the likelihood of loss events related to security, then calculate the cost percentage of security measures compared to insurance outlays and potential losses.
Converging Profit and Security
While detailing the cost-benefit analysis of security measures is critical, CSOs increasingly must look at how their security tools may extend beyond their department to make allies elsewhere.
“You need creative thinking and networking to make security objectives the objectives of other departments as well,” Sorensen said. The issue here is to get “buy-in,” and budget dollars, from those other areas.
That will require general business savvy, such as recognizing that surveillance video of delivery trucks routinely idling on a loading dock for more than an hour represents excessive costs or that images of customer bottlenecks at popular displays equate to profit opportunities.
“It also means being able to connect with corporate end users, ensuring that security doesn’t get in the way of the tools that make them more efficient,” said Pam Fusco, chief security strategist of Fishnet Security Inc., Kansas City, Mo., and a board member of ISSA International.
Fusco points to the number of consumer computing appliances users have introduced into the corporate environment, from instant messaging to USB drives. Instead of viewing these as unauthorized gadgets, she said it’s important to ask why people are using them and what advantage the business is gaining from them, then figure out a security strategy that supports those uses.
“You just can’t say no,” she said. “Ninety-nine percent of the time, you can find a way to make it work.”
|
The Model CSO
What exactly are a CSO’s responsibilities? They’re broader than what executives, including CSOs, may think, according to ASIS International, the security professional association. In its Chief Security Officer Guideline 2008, ASIS argues that corporations require a single, executive position responsible for overseeing physical and virtual security strategies. The guideline describes the skills and responsibilities the CSO should have.
“ASIS wanted the description to show what a truly converged CSO function would look like,” said Bob Hayes, executive director of the Security Executive Council. While some individual CSOs may have all the skills outlined, Hayes said the key is that each skill should be found under the security department’s mantle.
“At the end of the day, all these skills have security ramifications that need to be addressed,” Hayes said, noting that even most security professionals don’t view security as broadly as the model does. “It shows executives the scope of security within an organization.” |
Who's In Charge?
While some sources say the convergence of physical and logical security has been overplayed, many others expect to see security software maintained by IT professionals, just as IT ensures other business- critical software tools and technology are available to finance, HR and business specialists.
That’s a troubling development for some security leaders.
“A challenge is that security directors are afraid of their diminished role by sharing technology,” said Sorensen. He has seen security directors introduce technology foreign to their IT departments to protect their turf—a shortsighted move, in his eyes.
It’s also unnecessary, provided CSOs prove to senior management they have necessary expertise no one else in the company has.
“There are lots of different tools IT may administer, but they don’t make decisions about what the software will be,” said John Honovich, founder of ipvideomarket. info. “The CSO has domain management expertise in physical security, and there’s a big risk in leaving this to IT when it lacks both physical and logical security expertise.”
“I see significant loss events when professionals with IT or business backgrounds are unprepared for criminal events or fail to understand the lengths criminals will go to accomplish their aim,” Sorensen said.
Some broad security functions simply are beyond the purview of IT, agree other security experts.
“Governance—security, privacy, compliance, risk management—doesn’t belong in IT,” said Fusco. She said these are C-level management issues; it’s the operations that could come under the IT umbrella.
Strategy is Everything
Increasingly commoditized, plug-andplay- based security technologies could reduce or eliminate the need for separate security networks and support organizations, consultants say. To thrive in this emerging world, Sorensen said CSOs must not only meet security objectives but also must figure out how they can contribute to the corporate bottom line.
“Smart CSOs will carve out roles for themselves as profit centers,” Sorensen said. He said security directors who want to advance will go back to school, bring in IT resources and learn about new threats and new business strategies.
“If you can’t talk strategy, you’re just coming [to management] hat-in-hand instead of as a value-add,” Butchko said.
Proving their strategic value will be essential for CSOs during the current economic slump. Security experts expect increased fraud, other criminal activity, employee unrest and cutbacks in the corporate security department.
“Security professionals are painfully aware organizations look first to cut security budgets because they see it as a cost center,” said Honovich.
“If the CSO isn’t adding value, or doesn’t have the department aligned with the business, they’ll go,” said Hayes. He said a recession makes it clear whether security is “baked in” a company’s structure or merely bolted on.
“If a company values security, they’ll know this is not the time to cut it,” Hayes said.
Some CSOs could burnish their function’s luster even in—perhaps because of—a dim economy.
“The economic downturn will accelerate the relevance of the CSO position within an organization,” Butchko said. “It’s an opportunity to elevate the position and perform effectively.”
“The CSO should think negatively about the economic situation and be proactive in addressing it,” said Sorensen. The prepared CSO will have plans for dealing with the security implications of layoffs and slowdowns, ranging from employee theft of goods and information to executive protection schemes, he said.
“Take a plan to the CEO and demonstrate ‘you can’t afford not to have us,’” Butchko said. “If you wait for management to come to you, you’ve missed.”
Actively promoting security's business value is an endless, but potentially, rewarding task.
“A good CSO knows the business and must be savvy on the business needs,” Fusco said. “What would you like security to do for you?” is the question CSOs need to ask business units, she said. Then they must be prepared to fill those requests—an act that increases the value of the security position throughout the organization.
“Using security to push the business forward propels the [security officer] to the top of the food chain,” Fusco said.
This article originally appeared in the February 2009 issue of Network-Centric Security.