Platt Perspective on Business and Technology

What do C level officers do? 8: the Chief Security Officer 2

Posted in career development, job search, job search and career development by Timothy Platt on November 11, 2014

This is my eighth posting to a series on what C level officers of a business or organization do, that specifically emerge as job requirements for the senior leadership of an organization (see Guide to Effective Job Search and Career Development – 3, postings 376 and following for Parts 1-7.)

I began discussing the role of Chief Security Officer (security-CSO) in Part 7 of this series, and I continue that here with this installment.

More specifically, I began discussing this type of executive officer position by raising and at least initially addressing a set of three questions that might be seen as operationally defining it:

1. What does a Chief Security Officer do?
2. Who do they directly report to?
3. And how should their work performance be reviewed and evaluated?

And after sketching out brief orienting answers to them, I finished that posting by stating that in this one, I would:

• Delve into the issues of expectations, and of how a security-CSO can both help shape them and at the same time educate their colleagues – and both for more realistically shaping security expectations and for more effectively managing ongoing business-wide security capabilities and achieving more effective systems and resources security.

And I stated that I would address these issues at least in part in terms of the three questions that I started Part 7 with. But I begin here with that word: “expectations.” And I begin that by looking ahead to a topic of discussion in this series that I have been planning on exploring but that I have not even mentioned up to here: bringing a wider circle of experience and expertise to the C-level executive table and to the overall business-wide decision making process, where that includes the leaders of perhaps-familiar functional areas that have traditionally been excluded. The head of security is one such position that is now rising to executive level prominence in an increasing number of organizations. A second such position that is long-standing in existence but that is only very rarely included in the executive team is the Director of Personnel, or the Director of Human Resources as that service is also called.

In anticipation of that future posting I note here that where a security-CSO can be burdened by unrealistically high expectations, fueled by broad brushstroke understanding of what they seek to do, and a presumption that absolute security is possible, a Director of Human Resources is usually burdened by excessively low expectations – that they and the people who report to them are just forms managers who collect and store paperwork as a necessary but essentially menial activity. So they track and store personnel files and manage employee benefits but that is all they do or can do – forms.

I raise this set of issues from an HR perspective and at least briefly discuss how that service is viewed here as a point of comparison, as unrealistic expectations can only lead to problems and whether they are overly demanding and unrealistic for their expansiveness, or overly restricting and unrealistic for the barriers to participation and performance that they can create.

Focusing here on the challenges faced by a security-CSO:

• When a manager at whatever level is routinely expected to be able to perform what realistically should be considered miracles, and presciently so in anticipating and proactively responding to disruptive new threats before they can strike, expectations can never really be met. And push-back from presumed performance failures will hider capacity to perform optimally where reactive and even proactive responses are legitimately possible – because responding to fellow-executive displeasure takes time and energy and effort too.
• Unrealistically high expectations can and do lead to executives having to waste their time and effort addressing and seeking to put out what should be avoidable fires. And unrealistically high expectations can and do close eyes, ears and minds to insight offered that might presume less than absolute security, but that might offer more realistic and attainable security value to the organization because of that.

So what does a security-CSO do? In a realistically supportive context they can focus on doing their jobs. When they are expected to provide absolute security or some unrealistically close approximation to that, they can find themselves spending too much of their time seeking to manage expectations.

And with that, a legitimate and necessary part of the security-CSO job has to be in educating employees, from non-managerial hands-on workers through to C-level executives on what is possible, and on what of that should be carried out by security and related personnel, and what of that must be carried out by employees in general as part of their ongoing workplace practices.

Who should a security-CSO report to directly? That depends on the organization, but it is important that they have one supervisor who both takes the lead in performance reviewing them and who actively supports their being able to perform their job.

These executives work with essentially everyone in the organization, at least indirectly, insofar as they reach out to and continually update and educate everyone, and both to limit problematical behaviors and practices and to help identify emerging problems as quickly as possible – and wherever they arise.

How should they be performance reviewed? Realistically and according to an understanding that while better systems and resource security might always be possible, perfect is an illusion and the enemy of good and effective.

I am going to turn in my next series installment to consider the roles and responsibilities of the Chief of Marketing and Communications and that executive position’s variations. Meanwhile, you can find this and related postings at my Guide to Effective Job Search and Career Development – 3 and at the first directory page and second, continuation page to this Guide.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: