An article prepared by Matthew Schwartz and published by Information Security in September of this year identified some misconceptions that demonstrate, as I could not, the need to accelerate the development of the CSO initiative. Mr. Schwartz and I spoke for more than a half-hour, and subsequent to our discussion he interviewed an analyst with a CISSP certification and a CISO. The article is excellent, accurate and poignant.

The issues raised by those subsequent interviewees were (1) credibility of the CSO program, (2) competition with other 'security' certifications, and (3) the flexibility of the existing CISSP certification programs to address business issues. Within an enterprise-wide business model, none of these responses are valid, and they demonstrate a misunderstanding of the goals of the CSO program. These misunderstandings are not exclusive to IT certification entities.

The subtitle of the article may have contributed to the confusion of Risk Analysis Group's (RAG) intent. RAG's vision of a Chief Security Officer (CSO) is as an independent, stand-alone executive that in typical organizations would be another C-level position. That this role would be interchangeable with the CISO position is a fundamental misconception. It is not.

Program Credibility
One respondent indicated that he would not pursue the CSO certification because RAG is "for-profit". Success in business today requires the possession of at least a bachelor's degree; a master's degree is usually preferred. Are there any among us who studied at a university that offered courses without expense or survived with a cadre of professors who volunteered their time?

The credibility (and success) of the CSO program will be determined by the reception it receives from Chief Executive Officers or Chairmen of the Board, the individuals to whom the CSO should report. It is the CEO's indifference to or ignorance of the importance of a variety of certifications that form the foundation of RAG's CSO effort. If senior executives do not support a certification effort or, more importantly, participate in its development, the success of that effort will be minimal. We know that from our personal business experiences.

Competition with Other Security Certifications
Schwartz's article was written for an IT publication and suggested that the CSO program would compete with the existing CISSP and CISM certifications. This is not true. RAG applauds the dedication and hard work of ISC² and the Information Systems Audit and Control Association, the organizations that offer the CISSP and the Certified Information Security Manager (CISM), respectively.

To be effective in today's organizations, broad-based business knowledge is essential. This statement implies that even the most proficient IT professional must continue to learn business skills outside of the IT environs.

RAG intends no competition with any certification entity. The foundation of the CSO program is mastering Integrated Risk Management, an enterprise-wide business discipline, only a small portion of which is broad-based knowledge of IT administration. The CSO program will include, but not be limited to, the administration of IT, finance, operations, risk management, business continuity, security and safety. The CSO must have the "thirty-thousand foot" view of all business areas to be effective and to earn the respect of any CEO.

The creation of the CSO program is not competition but a call to action to consolidate all of the professional certifications in a comprehensive program.

Flexibility of Existing Certifications
Another respondent in Schwartz's article suggested that an existing certification could be modified to address the changing business environment. If this statement addresses changing conditions within a particular discipline, I support it. If it suggests that a particular professional certification can address the ever-changing business landscape, then history demonstrates that failure is likely. The CSO program will succeed because it is designed to encompass all facets of business, not focus on one area then tack on glosses of a few others. Substituting letters in a title does not provide an executive with the additional knowledge to succeed; it only adds additional responsibility to a person with a plate already full

IT is, and should be, a focused arena. It is one that changes daily and the management of this field requires that the CIO (or CTO) remain on top of his/her environment. This, in itself, is a full-time challenge. To add additional responsibilities to that executive may blur his/her focus. A notable exception is the corporation that is an IT enterprise, if that appointed CSO recognizes the importance of hiring subordinates who can assist in the development and administration of traditional security and safety programs and learns to communicate with finance, administration, legal and operations equivalents.

Moving Forward
Continued development of the CSO program remains necessary to address an increasingly hostile business environment. Any attempt to add content to an existing certification beyond its particular discipline runs the risk of diluting a successful program. It makes better sense to work with RAG as it attempts to align the various certification programs to develop the CSO concept.

Discuss this article! Post your thoughts to RAG's message boards. If you have not used the RAG website before, you will be asked to create a user profile. The message boards are currently free for all users.

Make the next step in your journey toward becoming a CSO. Register today to attend one of the upcoming RAG conferences in Boston (November 3-4), Phoenix (December 15-16), Dallas (February 26-27, 2004), Atlanta (March 23-24), and Chicago (April 22-23). Spend two days with industry experts learning such critical skills as business continuity planning, how to handle workplace violence, and what Sarbanes-Oxley means for your company. Click here or call us at (818) 501-3297 for more information.

Integrated Risk Management Strategies:
From the Front Gate to the Hard Drive.

Presented by former U.S. Secret Service agents and other nationally recognized security specialists, this comprehensive two-day seminar offers practical solutions for preventing harm to staff, property, and information assets.

Earn CPP, CISSP, CLE, CLSD, PHR, SHRP and other continuing education Credits!

Space is limited! Sign up NOW!

Boston
November 3-4, 2003
Hilton Hotel@MIT
617-577-0200

Phoenix
December 15-16, 2004
Phoenix Hilton Airport
480-894-1600

Dallas
February 24-25, 2004
Monitronics International, Inc.

Atlanta
March 23-24, 2004
TBA

Chicago
April 22-23, 2004
TBA

For additional information or to register,
click here or call us at (818) 501-3297.

2 Day Executive Protection Agent Training Course
presented by Joseph A. LaSorsa, CPP (Former Secret Service)

This seminar will provide basic knowledge of the "Art of Executive Protection" ala the style of the "U.S. Secret Service".

Fort Lauderdale
Nov. 3-4, 2003
Holiday Inn
954-563-5961

For additional information or to register,
click here.

Career Opportunities
Looking for your next great opportunity? Not looking but open?

Add your resume confidentially to the Risk Analysis Group Resume Database.

Our placement experts will contact you with exciting opportunities.

news.com
Oct. 3, 2003
"Kucinich backer hacks CBS News site"

news.com
Oct. 3, 2003
"Microsoft security suit raises thorny questions"

CNN
Sept. 30, 2003
"Web security executive accused of hacking military"

news.com
Sept. 30, 2003
"The biggest invitation to ID theft"

Risk Analysis Group is dedicated to providing information and resources to security-conscious professionals.

As a RAG member, you will have access to:

• The advice and experience of experts
• Research, white papers and presentations to get your security programs funded
• Education and training seminars
• Networking opportunities and information on career advancement opportunites
• Special Interest Groups (SIGs)
• Discounts at all Risk Analysis Group events and most external events
• Preferred pricing on all RAG services

"I have been a member of ASIS since 1990 and have attended numerous security seminars in which they typically tell you about what has happened in the past... Risk Analysis Group taught me about what is happening now, and what I need to be aware of for the future. RAG also understands that one person can't know it all - and they have brought in several different speakers who are experts on different areas of security.

"Now that I know how valuable Risk Analysis Group's course is, I am going to recommend my company's executive and HR team attend as well."

-Jonathan McBride, CPP, Security and Safety Director, Innotrac (Reno, NV)