Over the past several years, I’ve had the opportunity to observe various companies approach the considerations in hiring a Chief Security Officer. If you were a fly on the wall when top management is considering upgrading their security program, it’s possible the conversation might go something like this. At the end, we would appreciate your
feedback -- who should the CSO report to?
The company and the names in this debate are purely fictitious but based on real experiences. Assume the company is a large-cap publicly traded Fortune 250, in a business where sensitive customer data is processed; they are extensively outsourcing non-core business processes and their Board of Directors is concerned about the unaddressed risks in the security program.
_______________________________________________________________
The COO walks into the CEO’s office for their weekly lunch meeting and the first thing out of his mouth is “so, I’ve considered it and I’m convinced that we need to significantly upgrade our security program. How would you propose we proceed to fill its leadership?”
COO: “I anticipated your buy-in and I think we should let Marilyn (SVP Human Resources) and Bill (Chief Information Officer) provide us with their rationale for having this responsibility in their portfolio. They both have some real skin in this game.”
CEO: “Why not you?”
COO: “I’ve already got too much on my plate with our international initiatives. Marilyn and Bill are both on the Executive Committee and I think either of these elevate security closer to you and the Board.”
CEO: “The Board and the Audit Committee have made their concerns very clear on our current shortcomings with regard to a variety of security issues. What we have to resolve between these two is whether this job is going to have real access and be more fundamental to our global risk management strategy or is it more of a day-to-day tactical job?”
COO: “I agree. Based on our audit reports over the last several quarters coupled with our global initiatives, there’s just too much going on in the security-related area of risk that we don’t know and that makes me nervous. Let’s get somebody in that job that can really scope out our security risks and get the business unit managers on board with solutions.”
CEO: “Set up a meeting for you and me with these two and lets see who has the best vision for this function?”
The COO calls Marilyn, the SVP of HR, and Bill, the CIO, and lays out the challenge: “We are moving ahead with a more senior hire for Corporate Security. We think this involves moving the current function out of Facilities and into either of your portfolios to give it greater visibility and reach. Prepare your position descriptions and we will meet with the CEO late next week.”
At the appointed hour, Marilyn and Bill enter the boardroom. The CEO welcomes them and says “I’ve taken the liberty of asking our Chief Counsel to join us as I think there may be a number of issues of concern to him in this position. Marilyn, why don’t you start?”
HR: “I see security as a support function to the business, perhaps even decentralized across our business functions. Anyone who approaches this job as the be all and end all of security misses the point that every manager in this company has an obligation to protect our shareholders and our assets. While it’s clear that this position requires a leader who understands risk, I think a critical success factor will be in their ability as a relationship manager, somebody who can build trust so that our business unit managers will come to him or her with their issues before they boil over. At the end of the day, that approach is at the core of HR’s service focus”
CIO: “I think Marilyn is right about this position focusing in the business units. Our whole IT strategy is built around the notion of us providing security policy that holds every employee accountable for protecting our infrastructure and our private data. At the corporate level, we provide the tools and the intellectual leadership to a cadre of trained information security specialists in every business function. The same philosophy is applied in our business continuity program that resides in my office. Facilities already provides an in depth physical security program around our data centers and other critical spaces that IT has mandated and much of our emphasis there has been in technology rather than guards. It seems to me it would be relatively simple to add a few complimentary programs to what we already have and limit our costs.”
HR: I’d be interested in hearing what our Chief Counsel has to say about the services and competencies this position has to bring to the table.”
Chief Counsel: “Look at the expanded job description for a Chief Security Officer that has emerged since 911: internal and external investigations, threat analysis, intelligence, physical security, personnel security, information protection, emergency preparedness and response management. I’d add to that a global network of contacts, a far more comprehensive background vetting program and significantly greater risk assessment around our expanding domestic and global business partners.”
CEO: “That sounds significantly broader than what each of you are talking about. How would you approach these capabilities?”
HR: “Our HR Employee Relations team is highly competent in fact finding around allegations of misconduct and we’ve contracted for a confidential hotline to comply with new regulations. Moreover, we have very few reported instances of internal misconduct. I would assume we would continue to use outside contractors for fraud investigations. We seem to be in line with our peers on just vetting a select few in management and risk prone positions.”
COO: “Marilyn, you are the employee’s advocate. And Bill, your people are highly limited in non-technical or operational security issues. It doesn’t seem to me that either of your teams is trained to comprehensively probe suspected instances of employee fraud or trade secret theft. These have potentially serious consequences for the company.”
CIO: “With all respect, having HR responsible for background and internal investigations presents a potential conflict of interest in my view. We are increasingly empowering a broader and deeper base of employees and contractors with sensitive logical and physical access. I think expanding both our background vetting and security-related due diligence makes a lot of sense. I’d look for a highly qualified security generalist to manage much of the work Counsel has outlined. A properly staffed security team, backed by a clear set of policy expectations and a mandate to work collaboratively with their HR and business colleagues and business managers is the course I’d take in this initiative.”
HR: “Bill has mentioned ‘policy’ twice. The culture we have here does not respond well to policies and an appearance of a control-centered enforcement philosophy. IT is wholly focused on technical risk and many of the issues Counsel refers to are human threats which require a totally different mind set on internal controls. He speaks of a concern for having certain security programs in HR while at the same time his CISO lives within the IT department! I do agree with Bill on hiring a highly qualified security generalist but I’d focus the search on someone with several years of corporate experience rather than the law enforcement backgrounds that seem to be prevalent in the field. Finally, I think it’s important to note HR’s record on the application of best practices. I’d bring that sort of leadership to the development of best practices in security risk management.”
CEO: “You both seem to feel that this is a take it or leave it choice, that somehow your leadership and unique environments will result in a better security program. Fair enough. Both HR and IT bring assets and liabilities to the table. But I’m concerned that neither of you have spoken about the range of threats confronting the company as we adapt to our markets and competition. What sort of security leadership competencies and experience will add value in those critical areas?”
COO: “I share our CEO’s concerns. I think it underscores the need for this individual’s ability to connect the dots, to see across the interdependencies and seek out the weaknesses in our internal controls. Many of those controls are either owned or heavily influenced by your organizations.”
CIO: “As we have gone around the table, I have to admit that I’m coming to the conclusion that this function should be independent. What about you Marilyn?”
HR: “I’d share that with the assurance that this job be filled by a proven professional who can develop respect for the function and influence our managers on stewardship and commitment to doing the right thing.”
CIO: “I’d echo that with the suggestion that we form some sort of multi-disciplinary security committee chaired by security. It seems to me that this would provide some assurance that we are all working on the same agenda with regard to risk management.”
CEO: “How would Counsel summarize this debate?”
Chief Counsel: “I agree. I would also add that we need to bring Facilities into the solution inasmuch as the physical security elements are key to an integrated corporate security program. I think we all accept the need for a Chief Security Officer position. The question on the table now is to whom should this CSO position report?”
COO: “Right, and what functions should report to the CSO?”
_______________________________________________________________
What do you think? We encourage readers of Faculty Advisor to send their feedback.
Food for thought:
What important points on their behalf did either HR or IT fail to make?
Are there any important competencies for this position that were not mentioned?
Would you recommend that the information security program remain under the CIO or should it be converged within the new security department?
If you were the CEO, what was the most compelling point to influence your decision?
To whom do you think the security executive position should report and why?
• Admin
• Executive
• Facilities / Real Estate
• Finance
• HR
• Info / IT / Technology
• Legal
• Shared Services
• Other
Scenario compiled and written by George Campbell, Security Executive Council Emeritus Faculty
I would hope this conversation has been conducted in many such enlightened organizations over the recent months. It is now obvious to every family member in every household in the US that security is a bigger concern today than at any time in our history. The impact of inadequate security is becoming more noticeable and problematic with each passing day and with every new publicized security breach.
Who the top security official should report to, will probably never be cut in stone as it could vary depending on the business or type organization being protected. I would recommend a few things to consider when making this determination however. They are:
1. How serious are you about security? Not the political words you are required to say, but are you willing to give this person and function real authority? If not, it really doesn’t matter what the reporting structure is.
2. Who in the organization has the most to lose if security fails big time? They are probably the person security should report to.
3. If you ever ask yourself what return on investment you can expect by having good security, then you are not ready to have good security. Good security may well bring in more business and keep the business you have, but a return on investment should never be the primary goal.
4. Security, especially good security is expensive. In this field you get what you pay for.
5. Lastly, I think universities offering MBA programs should alter their curricula to include a required course on security in the business environment overall, but especially information security. If we are to expect businesses to be run more effectively by MBAs, then they should be academically informed of this increasingly important business function.
Posted by: Dr Walt Foultz | September 04, 2008 at 02:07 PM