The Chief Security Officer (CSO) is a new term and, as such, produces a number of misconceptions. The roles of the Chief Executive Officer, Chief Administrative Officer, Chief Operating Officer, etc, are clearly defined by function and history. The CSO, however, is a position that is being driven by post 9/11 events, recent legislation and senior executives.

In the mid-90s, the executive flavor of the month was the Chief Risk Officer (CRO). This individual brought a finance and insurance background to the boardroom. This position was also responsible for the security operations of the corporation. The CRO has become an endangered species. Two factors influenced the paradigm shift.

The success of e-commerce in the late 1990s forced even the most traditional organizations to the Internet. With that success came a price. Internet fraud is a multi-billion dollar international industry. Executives were obliged to address the Internet security issue and looked to the Chief Information Officer (CIO) for answers. It was logical to assume that 'security is security,' and the trend to expand the role of CIO to corporate-wide security began.

The days and months after the World Trade Center attack put security initiatives at the top of the CEO's list of things to do. The traditional security executive immediately became the "go-to" person. However, that concern waned in 2001 and seems to have returned to pre-WTC levels. Enter the Sarbanes-Oxley Act (SOA) of 2002.

Legislative Issues
The SOA is the legislative product of the debacles of Enron, Arthur Andersen, WorldCom and the suspicions that similar scandals are on the horizon. It is pointed legislation that compels publicly held companies to engage in proper financial reporting practices and to develop infrastructure containing self-policing mechanisms. President Bush made his priorities clear in his most recent State of the Union address: to bring to justice Osama bin Laden, Saddam Hussein, and dishonest Chief Executive Officers.

It can be presumed that the President's platform will be with us for at least two years, perhaps six years if he is re-elected in 2004. The actions of the SEC in January of this year aggressively addressed perceived loopholes in the SOA, a clear indication that the legislation will be with us moving forward.

The CIO Dilemma
The published data I have reviewed indicates that those individuals who currently hold the title of CSO have come from the IT arena, former CIO's whose roles have been expanded. While I wish these individuals the best of luck, I believe that the road ahead will continue to be difficult. Why?

The IT field is necessarily focused, including the security issues associated with that arena. The CIO has not been trained to address enterprise-wide risk issues as it is his/her responsibility to administer a broad range of technical, constantly evolving processes, and ensuring the successful functioning of those systems requires the absolute concentration of that individual. To add to those responsibilities puts the business enterprise at risk.

The same can be said of the other 'C-level' positions within the traditional corporate environment. And that is as it should be. The message of the SOA is simple: publicly held businesses and public accounting firms must conduct their business differently. It implies that the traditional corporate structure in many corporations is broken and requires immediate repair Ð or else. Any attempt to 'spin' the unambiguous language of the SOA only adds additional risk to the future success of the corporation.

Why a Security Background?
Who within the corporate structure has the traditional responsibility of conducting his/her responsibilities horizontally across the organization? The security manager is the obvious answer, summoned when something goes awry. Only then is executive support provided for inquiring into the misconduct, i.e., theft, violence, embezzlement, etc. This is true if the internal security person conducts that inquiry or, as has gained recent popularity, employs a third party security entity. In either scenario, the CEO recognizes that existing "C-level' executives do not have the training or perspective to launch an investigation outside their realm of responsibility.

The language of the SOA mandates proactive initiatives across the enterprise, not closing the corral after the horses have bolted into the pasture. The SOA identifies this approach as potential criminal activity if stockholders are subjected to unnecessary risk through creative accounting practices or failure to identify and repair organizational risks. Clearly, the security practitioner of today has the awesome responsibility to step up to the plate and fill this void. But what can we do, as security practitioners, to earn the respect and trust of the Chief Executive Officer?

Conclusion
Security practitioners must expand their knowledge base to earn the respect and confidence of the CEO. The position of CSO requires an individual who can serve as the bridge between the CEO and the other C-level executives who are responsible for general operations, legal, finance, and information technology. The successful CSO must have a broad range of general business knowledge and be able to pull each of these factions together as a team, something the CEO does not have the time to do on a full-time basis. An effective CSO is not a person who can write computer programs or configure routers but is a person who understands computer architecture. While he knows security and risk management like the back of his hand, he also has the "thirty thousand foot" view of the other components of the business. At minimum, the security practitioner must seek out these other business components and learn how they operate. As more CEOs are sentenced to prison, can we blame them for wanting a CSO who can really protect them and the corporation?

Recently, I made a presentation at an ASIS chapter meeting in which I referred to the need for CPP members to continue to expand their knowledge in order to qualify for the CSO position. I also requested support for the development of a CSO curriculum and certification process. During lunch, the comments of certain ASIS executives indicated they viewed my presentation as heretical. ASIS has been the security leader in this country and many others for over fifty years, but maintaining that position mandates the re-engineering of their thinking. It is unfortunate that, despite five years of discussing the CSO issue with ASIS leadership, the only new certification programs to be developed are subordinate to the existing CPP certification. This need is not the invention of Risk Analysis Group, as the comments of the attendees of that ASIS chapter meeting demonstrate. These comments were diametrically opposite the disingenuous comments of the executives and indicative of people who want to be challenged and rewarded for successfully meeting those challenges.

The monopoly of the security industry philosophy and increasing membership are not the only indicators of success. Times have changed, and we, as the leaders in the security industry, must change with them, or we will, once again, miss the train that is about to leave the station. Risk Analysis Group will continue to serve as the leading advocate for the CSO program and solicit the assistance and input of anyone who may be able to help us meet our goal.

Next month I will share my views as to where the CSO position is going and what it will take for the security practitioner to qualify for the position.

Integrated Risk Management Strategies:
From the Front Gate to the Hard Drive.

Presented by former U.S. Secret Service agents and other nationally recognized security specialists, this comprehensive two-day seminar offers practical solutions for preventing harm to staff, property, and information assets.

Earn CPP, CISSP, CLE, CLSD, PHR, SHRP and other continuing education Credits!

Space is limited! Sign up NOW!

Boston
November 3-4, 2003
Hilton Hotel@MIT
617-577-0200

Phoenix
January 26-27, 2004
TBA

Dallas
February 26-27, 2004
TBA

Atlanta
March 23-24, 2004
TBA

Chicago
April 22-23, 2004
TBA

For additional information or to register,
click here or call us at (877) 558-5559 or (818) 501-3297.

2 Day Executive Protection Agent Training Course
presented by Joseph A. LaSorsa, CPP (Former Secret Service)

This seminar will provide basic knowledge of the "Art of Executive Protection" ala the style of the "U.S. Secret Service".

Fort Lauderdale
July 14-15, 2003
Radisson Bahia Mar Beach Resort
954-764-2233

For additional information or to register,
click here.

Career Opportunities
Looking for your next great opportunity? Not looking but open?

Add your resume confidentially to the Risk Analysis Group Resume Database.

Our placement experts will contact you with exciting opportunities.

CNN.com
June 19, 2003
"Geek challenge: A hack-proof network"

news.com
June 18, 2003
"Survey: Financial firms prey for hackers"

news.com
June 16, 2003
"Defense Dept. backs next-generation Net"

CNN.com
June 15, 2003
"Security pumped up at Paris air show"

securitymanagement.com
June, 2003
"How can information exchanged be enhanced?"

Risk Analysis Group is dedicated to providing information and resources to security-conscious professionals.

As a RAG member, you will have access to:

• The advice and experience of experts
• Research, white papers and presentations to get your security programs funded
• Education and training seminars
• Networking opportunities and information on career advancement opportunites
• Special Interest Groups (SIGs)
• Discounts at all Risk Analysis Group events and most external events
• Preferred pricing on all RAG services

"I will definitely recommend (Risk Analysis Group's) seminar. To have an understanding of the operational and security concerns that spread across an organization is essential to anybody who wants to do a good job in risk management."

- Diana Rich, Director of Risk Management - RemedyTemp, Inc.