As seen in the November 27, 2001 issue of ...

By Judy B. Homer

SEPT. 11, 2001, was a wake-up call to corporate America. All of us have been made painfully aware of an urgent need to assess and upgrade the security protecting our information systems, and to protect the privacy and physical security of our workplaces. As a key step in achieving those goals, companies need to establish a new executive-level position, that of the chief security officer (CSO). If your company doesn't already have one, the CSO will be your must-hire for 2002.

The executive who can successfully rise to this challenge will have a diverse skill set. The CSO will not only have to understand the technology environment of the company but will also need to partner with the business and technology leadership to design and implement solutions that align the security needs of the business with the technical capabilities of the IT staff. Most important, this executive will develop and promote sound security practices and focus the employees on their individual and corporate responsibility to adopt those practices.

Hiring a CSO requires redefining the culture of the company. The CSO will partner with HR and corporate trainers to teach the staff and subsequent new hires that everyone is required to participate in protecting the company's security. That approach can actually be very unifying because it is one aspect of working at the company that everyone will have in common. That common bond can be exploited to build good will for other initiatives as well.

In a time of widespread corporate layoffs and terrorist threats, the vulnerability of a company to potential security breaches has never been more real. So the days of hiring a semireformed hacker to head security are long gone. In order to understand and offer solutions for the security issues of the organization, the CSO will need to have broad-based experience with technologies such as public-key infrastructure, enterprise user management, network and host intrusion detection, firewalls, single sign-on, biometrics and so on. Preferably, the CSO is professionally certified as well.

One of the most sensitive issues surrounding this new office is reporting relationships. The logical argument might seem to have the CSO report to the CIO, because the CIO heads IT. The CIO might argue that this position should be a direct report because ultimately all decisions affecting technology should rest in his hands.

However, a core responsibility of the CSO will be vulnerability assessment and risk management. Therefore the CSO should report to the COO or CEO. After all, the CSO will evaluate the technology environment and audit the security measures implemented by the CIO. It is in the company's and the CIO's best interest to have the CSO perceived as an impartial assessor of the technology environment instead of a possible rubber stamp.

Think of the CSO as the head of quality assurance for security. The CSO can also partner with the CIO to be an advocate for IT and to proselytize the need for expanding the IT budget to pay for necessary security measures. The CSO can also act as a powerful liaison between the business leadership and the IT leadership, drawing them together with the common goal of protecting the intellectual and physical assets of the company.

For the first time, we are being asked to unite in ensuring our homeland's security. Corporate America is being held accountable for its own security as well as actively participating in issues affecting national security. Experienced strategic leadership is required to achieve those goals. The CSO is the perfect executive to take on the challenge.