CSO or CISO: Who Makes Security Policy?

June 15, 2017
Organizations will defer to the executive who displays agility, business acumen and alignment

For decades -- arguably centuries -- organizations have relied on the head of physical security and safety to protect information assets and set all security policies. Today, however, many companies are turning to the head of information security to set policy, not only for information assets but for the entire company. Has the role of corporate (physical) security lost its relevance? Why have Information Security managers become so visible in the "C-Suite" of many organizations? Why are so few physical security managers there?

Twenty years ago, there were only a few organizations in the world with a Chief Information Security Officer. In fact, in 1997 only a small percentage of companies outside of the Fortune Global 500 had a recognized head of information security by any title. Today, every company over $3bn in revenue has a recognized head of information security, as do most companies with more than $300m.

The question of who sets security policy is political and boils down to one characteristic: savvy.

Twenty years ago, access control and video surveillance constituted high-tech security. IT security was a small technical group relegated to the dark corners of the basement or data center wrestling with firewalls and viruses. Corporate Security personnel oversaw every other aspect of corporate protection: identity and access management, investigations, executive protection, personnel safety, disaster response, the installation and maintenance of alarm panels, door controls, fencing, lighting, cameras and miles of coaxial cable. Clearly, in 1997, Corporate Security reigned supreme.

Yet, 10 years earlier, a seed of change had been planted. IT was growing in influence. The IT security hobbyists working on mainframe computers had made enough noise about viruses and hackers that business managers finally authorized a budget for data security. “Here’s some money to keep bad things from happening – as long as you don’t tell me what you are doing!  I don’t want to know about security,” they would say.

The years went on, with IT security geeks dreaming up every bad thing that could possibly happen, then devising ways to mitigate them – all the while complaining that the executives don’t pay enough attention to IT security.

In 2000, the economy tightened up and for the first time corporate and IT security managers were brought out of the shadows and into the light – but it wasn’t the limelight of the stage. It was the interrogator’s lamp. For the first time, security experts were asked to describe protection efforts in terms of return on investment (ROI), and cost-benefit analysis.

2000 and 2001 saw the highest number of firings of security managers in recent years as access control and guard professionals failed to articulate the value of security in terms that executives could appreciate.

It got worse after 9-11 when hundreds of CEOs called in the heads of IT security and corporate security for a briefing, only to discover that the two chaps had never met one another. Security received lots of attention after September 2001 when hundreds of millions of dollars were spent on security-related stocks and knee-jerk corporate defenses.

Then another shoe dropped; see Enron, WorldCom, Sarbanes-Oxley, Basel II Capital Accords, and EU data protection directives. Suddenly, risk management was the main topic within the executive suite. Security plays a role – to be sure – in corporate risk management, but it is a role subservient to investment risk, brand risk, credit risk, and the myriad other forms of risk management.

Chief Security Officers – sometimes hired, sometimes self-proclaimed – attempted to rise to the risk management challenge, but failed to gain more influence than a certain previously unknown influencer in the executive suite: the chief information officer.

The CIO had, for the previous 10 years, steadily grown in status and influence across all sectors of the corporation. It is the information technology professional that did the best job of translating the importance of technology to business value. Physical security professionals have still not learned that language.

Now, in 2017, the role of CIO is well established, as is the importance of communicating the value of technology in business terms.

Any manager, who demonstrates consistent cleverness and understanding of the business, will generally grow in rank and influence. There are varieties of ways to show this savvy. Some security professionals are adept at law enforcement and investigations; others are more political, with a relationship among executives; some have excellent presentation skills. These skills may be found among both CSOs and CISOs.

In my 30 years in the security industry, with the last 15 focused on mentoring CSOs and CISOs, I’ve found that savvy has a practical application. The security manager with the most well-run business unit usually has the most influence.

Immediately, readers from the physical security sphere take heart when they hear about well-run operations. That’s because physical security enjoys standard operating procedures with decades of precedence. Experienced corporate security directors, especially those coming from law enforcement and military backgrounds, generally know exactly how to operate an efficient program.

Unfortunately, dog-eared SOPs don’t impress the C-Suite. Executives only want one thing: to achieve the goals of the business with speed and agility. They don’t want security, per se. They want every business unit, including IT and Corporate Security, to be perfectly tuned to needs of the business.

Companies that run security programs with the cost-efficiency and quality conscientiousness of a regular business unit achieve greater benefits for the organization as a whole and reduce costs relative to performance.

Here is where the success of security leaders consistently breaks down:

Wasting Time: Security teams waste time putting out the same fires, continually “reinventing the wheel” of many security tasks, and performing “busy work” for auditors and customers, recreating documents and filling out SIGs (standardized questionnaires used to self-assess security) and assessments and the like.

Wasting Money: Audits and assessments invariably find deficiencies that need to be fixed fast. Each “mitigation” project pulls valuable people off of important “normal” projects.

Lack of Systematic Processes: Security and IT teams rarely function together as a finely-tuned-machine. As a result, managers are constantly running interference when conflicting processes and personalities interfere with productivity. 

Lack of Quality Measurement: Annual 3rd-party assessments do a good job of establishing a progress report, like your child’s growth chart at his pediatrician’s office. However, waiting a year or longer between assessments means there is no way to catch operational errors in real time.

Employees Feel Left Out: Employees hoard information and protect turf when they feel uncertainty around them. They want to feel “essential.”  Therefore, managers have a difficult time responding with agility.

After all, if an employee becomes irreplaceable— “He’s the only guy who knows how to run our kludgey authentication server”—then he also becomes un-promotable. The manager has no way to move that worker to any other critical function and is critically affected when key employees unexpectedly leave.

Support & Training Sporadically Available: Outside consultants and professional conferences offer excellent sources of training and improvement. Unfortunately, it is prohibitively expensive to finance full-time consultants or constant employee trips to conferences.

Focus on Success

Here are the keys to excellence that the CISOs and CSOs I work with have converted into C-Suite success. Any leader who desires to improve his or her influence this year should focus less on technology and more on these SECRETS of business maturity.

  • Continual Improvement
  • Continuous Coaching, and
  • Measurement & Recognition

"Continuous Improvement" you may recognize as the key ingredient in all those business books you've ever read. Good to Great, The Search for Excellence, Lean In, The Goal, and the rest. It's also part of Six Sigma, CMMI, ISO9001, TQM, EFQM and the rest of the Baldrige-like quality improvement programs.

Continuous Coaching is the next secret. Just like a ball team with a great coach, Companies that have a resource feeding them exactly the best practices they need for each work activity needing improvement -- those security directors flourish!

Measurement & Recognition is the third. The best ways for managers to record success is to measure employee engagement and progress effectively, and the best way to maintain or grow that success is to make the front-line employees engaged for success.

Every business manager – and that includes the head of corporate security and the head of IT security – is tasked with making the infrastructure well-tuned, purring like a Ferrari and geared toward tomorrow's evolving business needs. Therefore, CISO or CSO who best promotes the agility and competitive growth of the firm (from the point of view of the dominant CIO or COO) will be the source of policy, governance, and spirit.

About the Author: Steve Hunt is an executive strategist with expertise in information security, physical security, confidential information protection, critical infrastructure protection, technology, risk management and regulatory compliance. He was inducted into the ISSA Hall of Fame for his achievements in information security and, CSO [Chief Security Officer] Magazine presented him with the “Industry Visionary” Compass Award. He heads Hunt Business Intelligence and authored the eBook, The Security Manager’s Playbook: A Leader’s Guide to Optimizing Security for Any Business. http://huntbi.com/. Steve may be reached at [email protected].

About the Author

Steve Hunt | Steve Hunt

Steve Hunt was named one of the 25 most influential people in the security industry by Security Magazine and CSO Magazine named him Industry Visionary Compass Award Winner in 2006. Steve is an industry advisor, investor, futurist and consultant. From 1998 to 2005 he ran security think tanks at Giga Information Group and Forrester Research. Steve founded Hunt Business Intelligence to support best practices, investments and technological innovations related to security. His analysis appears in newspapers like the Wall Street Journal and many trade magazines, and he has appeared as a security analyst on MSNBC, CNN and Fox. Steve authors the popular blog SecurityDreamer.com