This question came up during the Security 500 Conference last November, and it is still sticking with me. I don’t think you’ll find an easy or consistent answer. Often the answer to that question is “to protect people, property, information, reputation, etc.” But is that really the answer to what the role is? If that were the answer, then making all the decisions on how much to budget, what tools and resources would be needed, and how quickly they would need to be implemented to protect those assets would be security’s decision. Many conversations with my peers about security’s lack of resources would indicate to me that this isn’t the case.
So, if we don’t have the ability to make these decisions, what then is the role of security? Let me first propose that this is fundamentally a critical question and, as a CSO, I personally struggled with this for a long time. Knowing your role is important because it brings purpose to daily activities, it develops a working philosophy, drives strategy, and it may change how we perceive our own value for career satisfaction purposes. That’s true for not just security leaders, but anyone in the industry, at any level.