Platt Perspective on Business and Technology

What do C level officers do? 7: the Chief Security Officer 1

Posted in career development, job search, job search and career development by Timothy Platt on November 1, 2014

This is my seventh posting to a series on what C level officers of a business or organization do, that specifically emerge as job requirements for the senior leadership of an organization (see Guide to Effective Job Search and Career Development – 3, postings 376 and following for Parts 1-6.)

Up to here I have been discussing well-established types of executive positions, even if they are not always filled or even seen as necessary in the particular organization (e.g. see Part 5 the Chief Strategy Officer (strategy-CSO) where the basic responsibilities for that position would more likely be retained by the owner or chief executive officer in a smaller, structurally simple business organization.) I turn here to consider a new and still emerging executive officer role: the Chief Security Officer (the security-CSO.) And the fact that this is a new type of executive position is telling and very significant.

With that orienting point in mind, I begin this posting’s discussion by raising three fundamental questions:

1. What does a Chief Security Officer do?
2. Who do they directly report to?
3. And how should their work performance be reviewed and evaluated?

The fact that this is a new position, and I add one that is still coming into focus means that the answers to all three of these questions are still in something of a state of flux. And the fact that a Chief Security Officer and the people who report to them face ongoing change and even ongoing emergence of disruptively unpredictable change, means that this state of flux and the uncertainty that it creates are not likely to be resolved into broadly based clear agreement or shared understanding any time soon.

What does a Chief Security Officer do? The answer to that is simple and clear-cut when this question is only addressed in general terms. A security-CSO leads the ongoing effort to maintain both physical access security in the business, and information and cyber-security for its information systems and both for physical records and for electronic and digital systems and resources. The devil as they say is in the details, and I will return to this question and consider more nuanced and detailed answers to this question as I proceed.

Meanwhile, and for general orientation I turn to question 2 and the issues of who this executive officer should report to.

• If electronic and digital systems are seen as the primary area of responsibility for this officer, with physical security of office space and related assets considered secondary, the security-CSO might very well find themselves reporting to the Chief Information Officer or to a Chief Technology Officer and they might in fact serve as a key member of that type of department’s leadership team. This type of table of organization positioning might also occur if physical access and related security is broken off from the security-CSO’s area of responsibility and is, for example, outsourced to a third party specialist business to manage – with their on-site manager in this case, reporting to the office of the COO.
• If overall systems security is seen more as impacting upon and involving all functional areas and business capabilities, and if it is seen as addressing business-wide due diligence and risk remediation needs then the security-CSO might very well find themselves reporting directly to the COO.
• And if a business creates a security-CSO position in response to a significant security breech they are more likely to report to an overall second in command COO or even to the Chief Executive Officer or President and at least until a level of confidence has been reached that risk recently faced has been reduced to more acceptable, stable and controlled levels.

When a security-CSO is brought in and their position is created in reaction to an acute crisis and to address immediate need, and to restore confidence in that business organization, their visibility will at least start out very high and expectations as to what they can and will, and should do will most likely start at least as high as that or even more so. And if a perceived security breech occurs under their watch, that and all they are doing and presumed to be responsible for doing will take equally high priority too.

And with that, I briefly go back to question one and what the security-CSO does. Everyone in the business is going to be aware of the high level, broad brushstroke answer to it that I offered above when initially making note of this question. That seems straightforward if not immediately simple. But in the real world addressing business security challenges means addressing a constantly changing technology environment that is complicated by “bring your own technology” employees who often bring and use their own devices without coordinating this activity with anyone in Information Technology or with anyone in a Security or Risk Remediation office. And in the real world this means operating in an environment of constant challenge by both outside hackers and by the real potential of inside information systems and data access abuse too. And all of these challenges represent arenas of constant change with new threats and threat forms constantly arising.

And this brings me to what is perhaps the most difficult of these three questions: question three and the issues of how a security-CSO is to be performance evaluated. And while I will return to the first two of the above questions in addressing that, my focus for the balance of this posting will be on question three and its possible answers.

• The first point that I would make here is that there is not and there cannot be any such thing as absolute security or zero risk. Ultimately, the best that any security oriented employee or security officer can do is to limit risk, and particularly for known and already knowable threat sources,
• To identify and close down knowable risk vulnerabilities,
• And to respond actively and quickly where a breach of any type does occur, limiting damage and identifying precisely what information resources and data have been compromised.
• Cleanup and remediation would generally require at the minimum, active participation from other functional areas within the business (e.g. Information Technology, Marketing and Communications, etc.) The security-CSO and their team members would provide the necessary information for these partners in order for them to effectively contribute to an active overall response and to mount an effective overall remediation. Legal counsel would almost certainly be involved here too.
• And the security-CSO and their team should be held responsible for and performance reviewed on how well they do all of this, allowing for the fact that disruptive new challenges such as zero-day attack vulnerabilities cannot by definition be anticipated or prepared for in detail in advance – but they do and will continue to occur. So even if a security-CSO and their team are actively, fully prepared to prevent vulnerabilities from known sources, such as the top ten vulnerabilities that The Open Web Application Security Project (OWASP) highlights as ongoing business information system weaknesses, real world risk vulnerability cannot be reduced to zero. And with time, real breaches can, and have to be expected to occur and for any organization that achieves any real public visibility through effectiveness in its markets and its industry. (See the OWASP web site and their Top 10 online vulnerabilities list for more information on that organization as a crucial resource.)

I am going to continue this discussion in a next series installment where I will delve into the issues of expectations, and of how a security-CSO can both help shape them and at the same time educate their colleagues – and both for more realistically shaping security expectations and for more effectively managing ongoing business-wide security capabilities and achieving more effective systems and resources security. I will address these issues at least in part in terms of the three questions that I started this posting with. After that, as already noted leading into this posting, I will turn to consider another more standard and well-known type of position again: the Chief of Marketing and Communications Officer and its variations. Meanwhile, you can find this and related postings at my Guide to Effective Job Search and Career Development – 3 and at the first directory page and second, continuation page to this Guide.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: