Macro, not micro.
Before a company establishes a new chief security officer position or reorganizes its existing security function, it must understand what is at the heart of the guideline's model of a modern CSO.
"There's this misperception that all we are doing is adding physical or just adding IT," says Jerry Brennan, president of executive search firm Security Management Resources, Inc., who chaired the ASIS committee that wrote the guideline. "This is a governance position. It's not a tactical position, it's not an operational position," he says.
While the long-term goal is for the CSO title to convey a top-level security position as defined by the guidelines, it may not make sense to put too much emphasis on what the position is called at this early stage. Brennan notes, in fact, that the title can be misleading, because some IT people have simply taken the CSO title, even though they do not have overall responsibility for security. And conversely, many who function as true CSOs do not have the title.
At least for now, there's been no groundswell of activity to change the titles that heads of security departments have to the uniform CSO moniker. Among the nearly 4,000 U.S. members who responded to the ASIS 2004 Salary Survey, about 665 said they were the top-level security official in their company, but only 6 were CSOs. Among the entire ASIS membership, only about 60 members give CSO as their title.
Whether a company has someone called the CSO or not doesn't matter, says Andrew Howell, vice president of homeland security policy at the U.S. Chamber of Commerce. "Maybe they should be director of security. What matters is that that person should be empowered to do his or her job."
The level of authority and reporting lines granted to the head of security is indeed a key aspect of a CSO position under the guideline. It is the key to effectiveness, agrees Kevin Keefe, CSO for Fairpoint Communications, a telecommunications company. If the head of security "doesn't have the ability to mold or shape policy from the boardroom or from the senior staff meeting level, he's hobbled," he says.
Keefe, who started out in military intelligence and who describes his background as primarily physical security and law enforcement, notes that he has had the CSO title at several companies since the late 1970s. But it had a different meaning, more related to Department of Defense issues.
Today, though his title is the same, his duties are vastly expanded and his role more closely resembles what the guidelines envision. "We have five separate business regions and each region has someone in charge of safety and security, and I lead the team, so I was given the title CSO," he explains.
Keefe now describes himself as "a security professional who started out in the industry before IT even existed who has brought himself kicking and screaming into the 21st century." His willingness to grapple with those IT issues and "to surround himself with very very smart people in their field" has given him the ability to be the company's security generalist who can make sure the pieces fit together.
At Fairpoint, the CSO reports to the CEO through the vice president of risk management. That's also the reporting model at Marriott International, where Chad Callaghan, CPP, vice president of enterprise loss prevention, and a co-chair of the ASIS Guidelines Commission, heads up a new umbrella group for operational security and safety.
The group was set up a few months ago to ensure that all related policies and procedures would be looked at with a "total enterprisewide approach" across Marriott's four major business divisions. The formation of the umbrella group puts security in a better position to bring important issues before the CEO and the board, says Callaghan, as does the fact that security now reports to the senior vice president of risk management, rather than HR.
That's a good reporting arrangement, but not the only one that can achieve the objective of empowerment under the model envisioned by the CSO guideline. In fact, says Brennan, "We were specific in not recommending the title that the position would report to because we cannot anticipate how any company would be structured now or in the future."
"We tried to word it in such a way that the reporting would be to a senior person that allowed them access to the board of directors and operating committee, as well as send a message to the organization," he notes.
Some sectors have been more affected by regulatory demands on security than others. In banking, for example, financial institutions are now required to assist law enforcement with detection of money laundering and terrorist financing, and in most cases, the responsibility for suspicious-activity reporting falls with the security group, says P. Kevin Smith, CPP, senior vice president and corporate security director at Chevy Chase Bank.
"The importance of security has been recognized throughout the organization as the result of these changing responsibilities," says Smith. And that has led to a trend to elevate the chief security position in the financial services industry.
HIPAA is having a similar effect in the healthcare industry. For example, when Magellan Behavioral Health established its first security program in December 2000, it was directly related to HIPAA, though the department is now also helping the company deal with Sarbanes-Oxley and other issues, says Jeriel S. Garland. Garland, who has a background in law enforcement but who also has a degree in computer studies, was hired to fill the CSO position about a year and a half ago.
Garland says he still sees a division between traditional security and IT in many companies and in the minds of many security professionals. That's a mind-set that has to be overcome by anyone who aspires to the top slot, he says. "If people are going to become CSOs, they have to understand fundamentals in a lot of different disciplines. They don't have to be able to manipulate a firewall, but they need to know what their people are telling them."
And in his case, the CSO title is apt. When the program was established, explains Garland, the company "made the decision to put one person in substantial charge of all security activities and designated that person as CSO."
The position oversees all security activities for the company, including physical, personnel, investigations, and IT. And this year, Garland has the green light to further expand the department's purview to consolidate the company's contingency planning and emergency-response efforts.
Right now, he says, that responsibility is fragmented, with pieces in IT, pieces in operations. "It's a critical function in business today and deserves someone who is a specialist in that," he says. To achieve that objective, he will be hiring someone to fill a new position of director of disaster recovery and business continuity.
Garland is not alone in being given greater responsibilities. "It seems like we get a new area of responsibility almost on a monthly basis," says Gordon W. Kettler, executive director of global security for General Motors Corporation since 1990.
His department's scope includes investigations, crisis management, fire protection, security technology assessment and purchase, contract management, brand protection, VIP protection, global intelligence gathering, loss reporting, and supply chain security.
The security team also shares responsibility for information security. For example, he explains, "We provide the physical security and investigative activity including forensic investigations, and IT provides support."