A knowledge of information security risk management is just one of the many requisite skills a chief security officer needs for crafting, influencing and directing an effective organizationwide protection strategy.
Increasingly, the job also calls for an understanding of issues as diverse as emergency preparedness, crisis management and response, physical security, disaster recovery, and privacy and regulatory matters. That's the assessment of Alexandria, Va.-based ASIS International, a 33,000-member group of security professionals that this week released draft guidelines that companies can use when developing CSO positions.
"There's been a lot of discussion on the need for organizations to create a centralized governance function for many areas of risk," said Jerry Brennan, president of Vienna, Va.-based Security Management Resources Inc. and one of the drafters of the document.
The guidelines are the result of an attempt to give a formal definition of the scope, responsibilities for reporting relationships and experience needed to do the job, he said.
"There wasn't much available that addressed the pulling together, from a governance perspective, of all of the areas of security risk that an organization faces," Brennan said. "So we decided to try and craft a document that would be broad-based and truly represent what the CSO position would be in an organization."
The ASIS guidelines come at a time when a growing number of security professionals say there needs to be a top-level management position to oversee all aspects of operational risk. "I have always found it preposterous to suggest that there are separate disciplines that require separate management" when it comes to operational security, said Dennis Treece, director of corporate security at the Massachusetts Port Authority in Boston.
For example, installing a privacy officer who is separate from the rest of the security team only "fragments the effort and ensures that the physical and virtual aspects of privacy have to be laboriously coordinated," he said. The same is true when it comes to having separate chief information security officer and CSO functions.
"Having been both separately and now both at the same time, I can state with confidence that combining them makes the most sense," Treece said.
Even so, security professionals agree that only a relatively small number of companies have created a formal CSO function because of the substantial political and organizational challenges that need to be overcome in doing so.
The popular notion of the CSO being the person in charge solely of IT and physical security functions has also limited the effectiveness of the role, said David W. Stacy, global IT security director at St. Jude Medical Inc., a US$1.6 billion manufacturer of medical equipment.
"I prefer the concept of the chief risk officer that encompasses these two areas," while also including other functions such as privacy, risk insurance and regulatory compliance, Stacy said.
"So, moving to a CSO model that only deals with IT security and physical security may be a logical first step to eventually getting to a CRO model," he added. "But even having a CSO would be a revolution, as opposed to an evolution, in many organizations."
Some security professionals have trouble with the concept of having an all-encompassing role. For one thing, "there is a huge difference between the practice of physical security management and information security management," said Eddie Schwartz, chief technology officer at Securevision LLC, a Fairfax, Va.-based consultancy. "While both disciplines have the use of technology as a common element, the background and education of the practitioners are distinct."
There's also the danger of rolling far too many functions under the CSO umbrella, Schwartz said. "It's an unnatural organization of activities and doomed to failure in most organizations," he said.