Will the Real CSO Please Stand Up?
Many large organizations are beginning to add the position of chief security officer (CSO) to the C-suite. This is great news as it highlights the benefits and importance of a well-designed security unit as a business function. However, some recent trends suggest that some organizations still may misunderstand the impact and role of security.
One tendency is to combine information technology (IT) security functions under the same umbrella as more traditional or physical security management. Just because both use the word security does not mean the same skills, experiences or knowledge are involved. A CISO (chief information security officer) faces true threats, but ones that are very different from a security management perspective. Hackers, firewalls, database protection are more the focus, compared to burglars, cameras and employee theft. A leader with extensive experience blocking cyber attacks from overseas may not have the background or expertise to plan for executive protection overseas or to conduct an internal investigation.
If you look at the ways IT security and physical security go about protecting an enterprise, you will see that the talents, know-how and abilities are very different. Both roles are focused on protection, but in very different ways. Both have grown up as separate industries, each with their own professional organizations and professional certifications. Even some terms may be similar such as risk assessments or threat analysis and again the meanings vary.
Threat assessment for a physical security leader is the process of reviewing threats of violence against a facility or individuals as compared to an analysis of malware and hacking attempts.
As companies become more reliant on technology there is an increasing need for information security and physical/environmental security to partner together. Security software systems tied to the Internet may need to be set up in conjunction with IT to ensure that any risks of unauthorized access are minimized. At the same time, IT should not be selecting the systems based solely on what works best for the network or any applicable databases, switches, encoders etc. IT may not understand the needs or expectations with the system by those depending on it.
A former law enforcement officer may know a lot about loss prevention, handling investigations or crime prevention, but be completely lost when it comes to SSL certificates, VPN and database encryption. On the flipside, an information system manager may be an expert with SQL databases or programming in C++, but not understand criminal law, the warning signs of violent behavior or the force continuum for security personnel.
So which background makes for the best CSO? The answer will depend on the organization. Ideally, there should be a CISO and a CSO to work in tandem with each other and with other business units for the best level of protection.
If there is only one CSO, careful thought should be given to the job functions. In this case, it is highly unlikely that one person will have the necessary background for all the job description. Then the real CSO should be the leader who demonstrates the ability to develop teams and cultivate enough understanding to manage both info security and physical security challenges.
Perhaps the single most important skill set is the understanding of human behavior; specifically, an in-depth understanding of the criminal mindset and its ability to exploit vulnerabilities in both the virtual and real worlds.