A Pyramid of Skills: How CSOs Can Become Business Leaders

Security careers are always in motion, and each new position requires an additional set of skills.

As I navigated my U.S. government career, I made it a point to look for my next position even before I was ready to move. Identifying the next position gave me a goal. It also helped me identify the skills I needed to be ready for the position.

I found it easier in the public sector to identify the required skills and experience necessary to advance because I was on a career track where the requirements for each stage were well understood within the organization. When I transitioned into the private sector, I wanted to continue my “one step ahead” approach but found it harder to identify the required skills for advancement. I have heard this same dilemma from colleagues throughout the security industry. They want to advance to become a security director, a deputy chief security officer, or even a chief security officer (CSO), but they can’t find the manual for the skills they need to get there.   

What’s even harder is that the skills to manage security professionals are not necessarily the same skills it takes to be a great security practitioner. So, we spend years developing our risk assessment abilities, our situational awareness, and our knowledge of the “rings of security”—only to be told we lack the traits necessary to move up. How do we develop these skills when we spend all day analyzing the geopolitical risks to our supply chain? How do we even know what skills our bosses—who are often non-security professionals—are looking for?

Fortunately, the characteristics that make a good security leader are known and can be developed. ASIS International’s CSO Center Content Committee is composed of such security leaders, and they have created five categories to guide aspiring CSOs in their professional development. These five categories fit into a framework called the CSO Development Pyramid.

CSO Center members created the pyramid in response to requests from security leaders—including chief security officers (CSO), senior security executives (SSE), and aspiring CSOs—for content about building, maintaining, managing, and leading a security department. We identified the following five areas of competence CSOs need to be successful:

1. Leadership and Management. Develop soft skills including people management and development; program and project leadership; nurture lasting relationships with business partners; implement change management; and create impactful communications.
2. Analyzing the Business. Evaluate your security program and its place in the wider business; identify strong competencies and relationships, as well as areas for growth.
3. Risk Management. Build a program that can assess risks, identify gaps, and combine data with expertise to translate security requirements into the language of the business.
4. Strategy. Devise long term strategic goals that close identified gaps, improve readiness, and better anticipate and integrate with the goals of the business.
5. Future Proofing. Analyze and improve your organization's roadmap, leverage the latest technologies, and ensure physical security remains proactive, not reactive.

The pyramid is structured based upon allocation of time. For example, you might spend 40 percent of your time on leadership and management, 20 percent on risk management, and 10 percent on strategy and future proofing. In the first months of your role, you might spend 30 percent on analyzing the business and then that tapers off to 10 to 20 percent over time.  

The content within this pyramid is curated from the ASIS library and vetted external resources, and it resides in the CSO Center Resource Library within ASIS Connects. CSO Center members can explore the Development Pyramid today, and aspiring CSOs looking to the skills they need to reach that rung on the career ladder can start with the overview articles in this series, all contributed by CSOs.

Matt Bradley is the senior vice president of Risk Solutions for Crisis24. He has spent the past 25 years adding value through security in the public and private sector. He specializes in teaching organizations how to leverage technology to improve their risk management outcomes.