Last month's article focused on the need for a Chief Security Officer (CSO). This article will address what must be done to prepare prospective candidates for the job.

Rites of Passage
There are a number of current certifications offered by different organizations. They include, but are not limited to, CPP, CISSP, CFE, CLSD, SPHR and others. Each of these endorsements certifies that the qualifying recipient has demonstrated his or her knowledge of a variety of subjects within the chosen discipline. Achievement of any of the certifications requires preparation for and passage of an extensive examination.

However, many of these certifications were developed years ago, some more than twenty years ago. Times have changed, as have the challenges. Today, the completion of any one of these certifications is merely the first leg of a journey toward becoming a CSO, not the final destination. A competent CSO will have general knowledge in all of the areas encompassed by these certifications.

RAG has never intended to slight the administrators of or those in possession of the captioned certifications. In fact, the seminars offered by RAG are unique because they qualify for continuation education units (CEUs) for all of these disciplines. These seminars have provided a forum for professionals from diverse backgrounds to discuss a variety of issues impacting each of them and their employers. These discussions have validated my belief that we must develop new approaches, working together to develop enterprise-wide solutions. For this reason, any of these certifications will serve as the minimum standard for entry into the CSO program currently under development.

Credibility is Key
As a CPP in good standing, I am most familiar with this certification. However, as one of the presenters at the RAG seminars, my exposure to recipients of other certifications qualifies me to make certain broad statements.

There is a unilateral decline in the recognition of the captioned certifications by senior management. One need only review the classified employment ads to learn that possession of these certifications is no longer a requisite for senior level positions, and only rarely is it identified as 'preferred'. This is a message that we must recognize, accept and address. All of our collective efforts to raise the bar within our professions are for naught if those efforts are not accepted and supported by the Chief Executive Officers (CEOs) of the organizations in which we work or wish to work.

Any training curriculum or program must be credible to the CEOs and other C-level executives of mainstream American corporations. In an era of cost reduction, corporations are seeking 'value added' for new hires, placing a premium on candidates who can multi-task. This is why we saw the trend to expand C-level positions to include the CSO position or to add the CSO responsibilities to an existing job description. The fundamental challenge that continues to impact security practitioners is their traditional reputation and corporate disrespect for what they do, that is, the belief that someone else can fill the security role if financial times become tough. How do we address these issues?

Program Development - Who, not what
The content for the existing certification programs is the result of hundreds of hours of research and plain hard work by a number of committees and committee members. But who comprised the committee membership? How many of the committee members were C-level executives who were not members of the association overseeing the certification? Of the committee membership, how many were from some of the 'other' certifications? And finally, how much input was received from CEOs, the focus of the legislative initiatives that provide the CSO opportunity?

We know the answers to these questions. There is no need for broad-based participation in focused certification efforts. However, such broad-based participation will be mandatory for the development of a program that meets the needs and earns the respect of CEOs and others outside the security realm. The development of a CSO program requires the participation of all of the certification disciplines and an invitation to C-level executives to participate, including CEOs. Will they attend? Yes, and for a very simple reason.

Sarbanes-Oxley and other legislation targets C-level executives with mandates that ethics, not money, shall be their primary responsibility. The initiatives imply that the old ways are unacceptable and the appointment of a new "sheriff" is appropriate.

Program Content
Depending upon our discipline and background, each of us has strong ideas for what should comprise the CSO program or curriculum content. It is not appropriate for any of us to guess what knowledge base a CEO feels would engender his or her trust and support of a CSO or, better yet, encourage him or her to recruit and hire one. My message extends to the C-level executives who may read this article, and it is my hope that it serves as an invitation, as we desperately need their assistance and input.

Minimally the program or curriculum may include but need not be limited to the following areas:

• Physical Security
• Executive Protection
• Protection of Staff
• Travel Advisory
• Homeland Security Awareness
• Finance
• Auditing and Accounting
• IT Architecture
• IT Security
• Human Resource Issues
• Development and Maintenance of Business Continuity Plans
• Legal Issues (Privacy, Attorney-Client Issues)
• Sarbanes-Oxley and other legal initiatives
• Integrated Risk Management
• Other areas as identified by committee

It is my hope that a broad audience that includes C-level executives is reviewing this article. Input of any nature can be sent via e-mail to the editor or directly to me at bill@riskanlysisgroup.com. Perhaps those responses may serve as the forum to complete this project.

CSO Educational Forum
While the aforementioned certifications have been successfully supported by their respective organizations, the CSO program may require delving into uncharted waters, namely recruiting the participation of private business and accredited universities. Given the global attention being given to the issues contained within the suggested curriculum, I believe support and participation from these sectors is appropriate.

How best will such a course be taught? Is this an appropriate area for E-learning? Or would it require a blend of classroom curriculum and E-learning? I believe the answer to both of these questions is yes, but again, I solicit the response from the audience.

There is a real need for a Chief Security Officer, someone who can take the "thirty thousand foot" view of a business and all its components, someone who can understand the details while simultaneously holding the big picture in mind. Success in this role will require a broad range of knowledge, and RAG is dedicated to the creation of a program that will equip professionals for this role. This is a daunting task, but the reward will justify the effort.

Discuss this article! Post your thoughts to RAG's message boards. If you have not used the RAG website before, you will be asked to create a user profile. The message boards are currently free for all users.

Make the next step in your journey toward becoming a CSO. Register today to attend one of the upcoming RAG conferences in Boston (November 3-4), Phoenix (January 26-27, 2004), Dallas (February 26-27), Atlanta (March 23-24), and Chicago (April 22-23). Spend two days with industry experts learning such critical skills as business continuity planning, how to handle workplace violence, and what Sarbanes-Oxley means for your company. Click here or call us at (877) 558-5559 or (818) 501-3297 for more information.

Integrated Risk Management Strategies:
From the Front Gate to the Hard Drive.

Presented by former U.S. Secret Service agents and other nationally recognized security specialists, this comprehensive two-day seminar offers practical solutions for preventing harm to staff, property, and information assets.

Earn CPP, CISSP, CLE, CLSD, PHR, SHRP and other continuing education Credits!

Space is limited! Sign up NOW!

Boston
November 3-4, 2003
Hilton Hotel@MIT
617-577-0200

Phoenix
January 26-27, 2004
TBA

Dallas
February 26-27, 2004
TBA

Atlanta
March 23-24, 2004
TBA

Chicago
April 22-23, 2004
TBA

For additional information or to register,
click here or call us at (877) 558-5559 or (818) 501-3297.

Career Opportunities
Looking for your next great opportunity? Not looking but open?

Add your resume confidentially to the Risk Analysis Group Resume Database.

Our placement experts will contact you with exciting opportunities.

CSO Online
July, 2003
"Chaos in a three ring binder"

news.com
July 18, 2003
"Code to exploit Cisco flaw may pose risk"

CNN.com
July 16, 2003
"Store assault raises security concerns"

news.com
July 17, 2003
"House proposal targets file swappers"

securitymanagement.com
July, 2003
"Improving Paradise "

Risk Analysis Group is dedicated to providing information and resources to security-conscious professionals.

As a RAG member, you will have access to:

• The advice and experience of experts
• Research, white papers and presentations to get your security programs funded
• Education and training seminars
• Networking opportunities and information on career advancement opportunites
• Special Interest Groups (SIGs)
• Discounts at all Risk Analysis Group events and most external events
• Preferred pricing on all RAG services

"Evidence shows that every five years, 20% of companies will suffer a major disruption through fire, flood or storm, power failures, terrorism and hardware/software failures.

"Of those companies which do not have Business Continuity plans, 80% fail within 13 months of such an incident. Those who successfully restore their business have seen the company value rise"

- John Sharp, CEO, The Business Continuity Institute.