The role of the Chief Security Officer (CSO) has not really changed. “Secure the perimeter” has always been the mantra and historically it was to protect the organisation from physical threats. Philip Ingram a freelance security and intelligence journalist looks at how roles may be developing.
Moats and battlements have been replaced with fences, lookouts with CCTV and drawbridges with card access doors. Communications have been protected using encryption to hide the message rather than protecting it as it travels, but this is nothing new. Around 100 BC, Julius Caesar used encryption to convey secret messages to his army generals at the war front.
With the advent of the Internet and electronic communications the “perimeter,” is, in a sense, boundless. A centralised headquarters building can have fences, locks, PID systems, CCTV, access control and more in place to ensure corporate intellectual property, business secrets and its people are all protected and kept safe. However, monitoring an outstation remotely means that perimeter is only as secure as the outstation and the communication means to and from it. No longer can security be considered as a “premises-based” operation.
According to a study done by Tyco and reported in a blog on their site, “in this new world, the role of the traditional CSO and his or her team remains crucial, no matter where security headquarters are located. There is not, and likely never will be, any substitute for physically interceding between a perpetrator and his intended target in a timely manner. However, with new definitions of security, that role is now joined by a host of others, with, in many organisations, professionals from IT, HR, Legal, Logistics and other departments in security related roles.”
So, with the CSO’s role taking in many more disciplines, the role is much more of a multi-disciplinary team leader with many of the team being unfamiliar with the security and not under the direct responsibility of the security director. This raises an issue of responsibility? Where, in today’s multi-connected world, should the responsibility for security lie?
The Tyco study, reinforced by what Philip Ingram is seeing across the industry, suggests that this convergence is creating a window of opportunity for the CSO to expand his or her role, responsibilities and therefor importance within a company.
The opportunity comes back to where responsibility lies. Security is a discipline to mitigate business risk and if that risk has been delegated to the CSO then he or she is perfectly right in asking for an expansion of their role. However, if the risk lies elsewhere then the responsibility for directing a multidisciplinary team lies with the “owner” of the risk.
Traditionally a CSO has been an expert in his or her field, leading by dint of superior knowledge and that is why many enterprise level companies have separate roles for physical security and for IT security. With the advent of a requirement for multidisciplinary teams then the expertise will be provided one level down or by external contractors.
The CSO should not try to become the expert in all disciplines by him or herself, rather they need to understand the language and nuances of each area and “translate” them into one focused output aimed at dealing with the issue of risk reduction or mitigation. In addition, the CSO does not need to know how to install and operate security equipment or software but rather have a general understanding of how they work, their strengths and limitations and how to create a complimentary suite of capabilities.
Critical to the development of this role is therefore understanding who owns the risk, what resources are available and who has responsibility for them and then last but most important is training. It is one of the roles of the many professional organisations and bodies to ensure that training standards are properly defined and that training providers give the correct quality of support to their members.
The biggest plus in the development and expansion of the role is that a wider cross section of any company will be exposed to security before it becomes an issue, and greater collective understanding can only help with overall standards.