Every company has computing systems and sensitive information that are vulnerable to a variety of physical and cyberattacks. Potential loss scenarios range from benign to catastrophic. So, who is responsible for protecting a company's valuable assets? The technical answer, of course, is that the company's board of directors is ultimately and legally responsible.
But how is the board informed about the true risks the company is facing from technical and operational security threats? Someone has to tell them, and this should be the most valuable function of the chief security officer. Unfortunately, many corporate security chiefs are too low on the organizational chart to effectively interact with the board, and reporting structures often blunt and filter (even suppress) those messages before they reach the board.
To whom should the CSO report?
It's a big problem, casting a bright light on where the top security executive should report. There seems to be no dominant rule for companies placing the head of security above the chief information officer, reporting to the CIO, or several levels below the CIO. Corporate culture appears to be the biggest factor. Consider the following structures and their consequences:
The CIO or chief technology officer runs security. CTO bosses prioritize around uptime numbers and tight-as-a-drum networks. CIOs want to be seen as value-adders focused on productivity and profits, and cannot afford to be branded as 'inhibitors.' These mind-sets can cause CTOs and CIOs to delay reporting potential problems upward.
The chief operating officer runs security. COOs are concerned about customer issues and sales. They frequently manage security activity using existing customer relationship management (CRM) systems and processes. Instead of protecting the company's larger goals, the focus is too often on finding solutions for individual customer complaints, continuously monitoring satisfaction, and fighting for market share.
The chief financial officer runs security. CFOs all too frequently act as if the best way to grow a company is to cut costs. When they oversee a security organization, they evaluate security budgetary issues by scrutinizing every preventative capital expenditure or head count increase.
Companies understand why autonomy is important for internal auditors, but have been slow to realize the same logic applies to the CSO. Public companies have audit committees at the board level to scrutinize financial activity. Why not use a similar concept for security issues? The bottom line is that CSOs should have unfettered access to the board if the directors are expected to make, and be accountable for, crucial decisions about the company that may hinge on the risks and consequences of security breaches.
Leadership roles and responsibilities
Security is evolving into a critical shared service within most organizations, which means the head of security is also evolving into a critical leadership role. The new security leader has responsibilities not merely to IT but to improving operational efficiency of the business and implementing cost-effective risk management measures. Bottomline improvements come most easily when companies treat security as a business process, assigning a single individual to coordinate the various risk management processes of that organization.
There's no strict rule concerning whether a security czar should report to an IT, operations or auditing executive. What is crucial is that the reporting relationship must be an enabler and not a deterrent to the CSO's ability to integrate the activities of the three groups in managing corporate security. It's the opposite of the fragmented, improvisational, and ad hoc security management norm at many large companies.
Collaboration is the key
Success hinges on the collaboration of all interested parties: the CFO and auditors, legal staff, business unit managers, corporate and physical security teams, IT senior managers and mid-level administrators, and the entire range of corporate stakeholders whose awareness of and participation in a security program is essential.
At its simplest, modern CSOs need to expertly manage three areas. One is the deeply technical job of physically securing systems. Another is developing a wide range of security policies for both the physical and virtual perimeters and agressively building security awareness. Validating the design of new applications is important, and falls somewhere in the middle of these two areas. The final area is effective monitoring to make sure the other areas are doing well. This belongs under the absolute control of a fully empowered internal auditing function that can properly assess compliance.
Beware: many CSOs are such in title only, serving primarily as mid-level managers within IT and not especially privy to key business requirements or executive empowerment. This may indicate a desire by CIOs and other executives to increase the profile of security, but ultimately they degrade the nature and definition of the CSO role.
David Foote is co-founder, president and chief research officer at Foote Partners LLC in New Canaan, CT (www.footepartners.com).