When J. David Quilter first headed a security department, he was the outsourced director of security. "I was like the third cousin once removed," he remembers. "You sat at your desk. You got a call when all the horses were gone and the barn was burned."
That was 1996, barely a decade ago, but a world away. Today, Quilter is the director of corporate security at NiSource Inc., which brought him in three years ago in response to 9-11 to build a consistent security program across its 15 operating companies.
Because NiSource, a natural-gas holding company, is part of the country's critical infrastructure, "security really is a business imperative," says Quilter. Consequently, he now has a dotted line to the chairman on the organizational chart. "I would not join a corporation today if I did not have direct access to the chairman and the executive leadership," he says.
Quilter's journey is emblematic of the path that all security professionals need to travel if they are to be effective stewards of their companies' assets. The roadmap to this leadership function was laid out last year in the ASIS International Chief Security Officer Guideline. And while it remains a road not yet widely traveled, each year brings with it more movement in that direction.
"We are seeing now the CSO job as breaking out of its traditional role as second or third tier within the organization," says Stephen W. Walker, general partner, the Foushee Group, Inc., which is in its fourth year of conducting its Security Compensation Survey. They are now reporting directly into whoever has the top administrative role within the organization, he says. "More importantly," he adds, "we are seeing companies start to integrate some of their information systems security into the CSO's office."
That is moving the corporation toward an enterprise security solution, and "that's where we need to be," says Don W. Walker, CPP, chairman of Securitas Security Services USA, Inc., and chairman of Pinkerton Consulting & Investigations, Inc. Walker served as co-chair of the ASIS Commission on Guidelines.
But progress has been uneven. "I've seen companies start in the direction where I thought they were going to get their hands around it and then back off for various reasons," he says.
Impediments have included budget constraints and the business culture. Walker estimates that today less than one-third of the corporate world has its security function set up with the desired enterprisewide model and with a strong CSO working closely with senior management to set and implement security policies.