Ready for a CSO?
from May/June 2003
by Susan Caminiti
Here’s another set of initials you’ll be seeing more frequently. It stands for chief security officer, a position that an increasing number of companies—including KeyCorp, Reuters, and Bloomberg News—are starting to fill. Says Phil Rosch, president of Old Harbor Consulting, a technology and risk-management firm in Islamorada, Florida: “Four years ago, when I asked an audience how many of them had CSOs, maybe three out of 50 put their hands up. Now it’s closer to 40% of the audience saying yes.”
September 11, ongoing terrorism concerns, and Iraq keep companies worried about the vulnerability of their buildings and computer systems. New regulatory and accounting rules are also driving them to get their security standards up to snuff. For instance, the Health Insurance Portability and Accountability Act requires that health-care providers have systems that protect electronically transferred health records. Companies are hiring CSOs to monitor and upgrade those security controls, and to be accountable should things go wrong. “More and more directors are asking, ‘Are we secure? Who’s responsible if there’s a breach?’” says Rosch. “A good board wants to know where the buck stops.”
CSOs are a breed of next-generation security expert. They’re expected to understand security from the physical side (plants, factories, office buildings), as well as to be computer-savvy. “The CSO needs to have the business acumen to create strategies and deliver programs and then be able to sell those systems to the CEO, the CFO, the board, and the rest of the organization,” says Joyce Brocaglia, CEO of Alta Associates, an executive search firm in Flemington, New Jersey, that specializes in information-security positions. “Plucking someone out of IT whose only strength is in technology and putting him in this position isn’t going to work.” Because the job title is so new, there’s little uniformity in CSO career histories. “Look at 15 different companies and you’ll see 15 different kinds of backgrounds,” Brocaglia says. “Some come out of IT, some out of the military, and others have FBI or police backgrounds. It’s going to take a while to get some consistency.”
To do the job effectively, CSOs need to be part of senior management and have the ear of the CEO and the board. And therein may lie a problem, says Brocaglia. Many of the companies approaching her say they want a CSO who can handle both the physical and the cyber side, but are reluctant to put this person at a senior level. “Many companies still think of security as a technical problem, not a business problem,” she says. “You can’t hire a CSO, bury him or her two to three levels down the chain of command, and then expect everything to be okay.”
In most companies today, says Brocaglia, the CSO answers to the chief information officer (CIO) or chief technology officer (CTO). For example, Lloyd Hession, CSO of Radianz, a New York City-based outfit that operates a computer network handling transactions for big brokerage houses, reports to the CTO, who’s also the No. 2 in his company. But both he and Brocaglia expect that chain of command to change as the CSO position gains visibility and its clout begins to equal IT’s. “A CIO gets compensated for delivering systems on time and for having them up and running without a breakdown,” says Hession, a former chief architect of Internet security for IBM. “A CSO’s job is to protect the assets of the company, and that might mean, at times, shutting the system down.” Adds Brocaglia: “A CSO could be more effective and have less of a chance of conflict of interest if he or she is outside the IT department. I think that change will come in time.”
With technology security at a premium at his company, Hession already has the board’s ear. He occasionally appears at board meetings to brief directors on security updates—something that should be part of the job for all CSOs.
