The Very Model of a Modern CSO
When J. David Quilter first headed a security department, he was the outsourced director of security. “I was like the third cousin once removed,” he remembers. “You sat at your desk. You got a call when all the horses were gone and the barn was burned.”
That was 1996, barely a decade ago, but a world away. Today, Quilter is the director of corporate security at NiSource Inc., which brought him in three years ago in response to 9-11 to build a consistent security program across its 15 operating companies.
Because NiSource, a natural-gas holding company, is part of the country’s critical infrastructure, “security really is a business imperative,” says Quilter. Consequently, he now has a dotted line to the chairman on the organizational chart. “I would not join a corporation today if I did not have direct access to the chairman and the executive leadership,” he says.
Quilter’s journey is emblematic of the path that all security professionals need to travel if they are to be effective stewards of their companies’ assets. The roadmap to this leadership function was laid out last year in the ASIS International Chief Security Officer Guideline. And while it remains a road not yet widely traveled, each year brings with it more movement in that direction.
“We are seeing now the CSO job as breaking out of its traditional role as second or third tier within the organization,” says Stephen W. Walker, general partner, the Foushee Group, Inc., which is in its fourth year of conducting its Security Compensation Survey. They are now reporting directly into whoever has the top administrative role within the organization, he says.
“More importantly,” he adds, “we are seeing companies start to integrate some of their information systems security into the CSO’s office.”
That is moving the corporation toward an enterprise security solution, and “that’s where we need to be,” says Don W. Walker, CPP, chairman of Securitas Security Services USA, Inc., and chairman of Pinkerton Consulting & Investigations, Inc. Walker served as co-chair of the ASIS Commission on Guidelines.
But progress has been uneven. “I’ve seen companies start in the direction where I thought they were going to get their hands around it and then back off for various reasons,” he says.
Impediments have included budget constraints and the business culture. Walker estimates that today less than one-third of the corporate world has its security function set up with the desired enterprisewide model and with a strong CSO working closely with senior management to set and implement security policies.
Macro, not micro. Before a company establishes a new chief security officer position or reorganizes its existing security function, it must understand what is at the heart of the guideline’s model of a modern CSO.
“There’s this misperception that all we are doing is adding physical or just adding IT,” says Jerry Brennan, president of executive search firm Security Management Resources, Inc., who chaired the ASIS committee that wrote the guideline. “This is a governance position. It’s not a tactical position, it’s not an operational position,” he says.
While the long-term goal is for the CSO title to convey a top-level security position as defined by the guidelines, it may not make sense to put too much emphasis on what the position is called at this early stage. Brennan notes, in fact, that the title can be misleading, because some IT people have simply taken the CSO title, even though they do not have overall responsibility for security. And conversely, many who function as true CSOs do not have the title.
At least for now, there’s been no groundswell of activity to change the titles that heads of security departments have to the uniform CSO moniker. Among the nearly 4,000 U.S. members who responded to the ASIS 2004 Salary Survey, about 665 said they were the top-level security official in their company, but only 6 were CSOs. Among the entire ASIS membership, only about 60 members give CSO as their title.
Whether a company has someone called the CSO or not doesn’t matter, says Andrew Howell, vice president of homeland security policy at the U.S. Chamber of Commerce. “Maybe they should be director of security. What matters is that that person should be empowered to do his or her job.”
The level of authority and reporting lines granted to the head of security is indeed a key aspect of a CSO position under the guideline. It is the key to effectiveness, agrees Kevin Keefe, CSO for Fairpoint Communications, a telecommunications company. If the head of security “doesn’t have the ability to mold or shape policy from the boardroom or from the senior staff meeting level, he’s hobbled,” he says.
Keefe, who started out in military intelligence and who describes his background as primarily physical security and law enforcement, notes that he has had the CSO title at several companies since the late 1970s. But it had a different meaning, more related to Department of Defense issues.
Today, though his title is the same, his duties are vastly expanded and his role more closely resembles what the guidelines envision. “We have five separate business regions and each region has someone in charge of safety and security, and I lead the team, so I was given the title CSO,” he explains.
Keefe now describes himself as “a security professional who started out in the industry before IT even existed who has brought himself kicking and screaming into the 21st century.” His willingness to grapple with those IT issues and “to surround himself with very very smart people in their field” has given him the ability to be the company’s security generalist who can make sure the pieces fit together.
Reporting lines. At Fairpoint, the CSO reports to the CEO through the vice president of risk management. That’s also the reporting model at Marriott International, where Chad Callaghan, CPP, vice president of enterprise loss prevention, and a co-chair of the ASIS Guidelines Commission, heads up a new umbrella group for operational security and safety.
The group was set up a few months ago to ensure that all related policies and procedures would be looked at with a “total enterprisewide approach” across Marriott’s four major business divisions. The formation of the umbrella group puts security in a better position to bring important issues before the CEO and the board, says Callaghan, as does the fact that security now reports to the senior vice president of risk management, rather than HR.
That’s a good reporting arrangement, but not the only one that can achieve the objective of empowerment under the model envisioned by the CSO guideline. In fact, says Brennan, “We were specific in not recommending the title that the position would report to because we cannot anticipate how any company would be structured now or in the future.”
“We tried to word it in such a way that the reporting would be to a senior person that allowed them access to the board of directors and operating committee, as well as send a message to the organization,” he notes.
Artificial turf. Additionally, though the goal is to move toward an enterprise solution, “there’s no need to be worrying about turf wars,” says Walker.
“Risk management can be an independent discipline, cyber can be, and operational can be, but they’ve all got to work together,” he explains. (Walker uses the term operational to refer to traditional security, which is often simply called physical, but which, he notes, encompasses much more than that.)
Many companies are achieving that coordination through security councils or governance committees. That’s the approach at NiSource, says Quilter, where HR, ethics, IT security, and his team can, for example, coordinate their work on an investigation through their security council.
Similarly, at Avaya, Inc., the company has a security governance committee, says Director of Global Security Marene N. Allison, who worked on setting it up with her IT security counterpart. Through the committee, “we work as a team,” she notes, adding, “It’s not so much about where you report. It’s about the overall security governance of the organization.”
Allison also serves as co-chair of Avaya’s crisis management team, giving security a leadership role in business continuity as well.
Catalysts. A number of onerous legal requirements have formed like dark clouds over corporate executives’ heads in recent years. These requirements arise from laws such as the Health Insurance Portability and Accountability Act, known as HIPAA (which concerns health data protection), Gramm-Leach-Bliley (which concerns financial services data protection), and Sarbanes-Oxley (which pertains to corporate governance, internal controls, and fraud prevention).
From security’s perspective, there is a silver lining to these regulatory clouds—the new responsibilities that have rained down from them are pushing companies to recognize the value of the security department and to enhance its role.
“The Patriot Act certainly has brought attention to the security function,” says Walker. “And certain companies have now escalated the security function to reporting to the audit committee of the board or to a special committee of the board so that security concerns can get directly to the CEO and to a board committee, and I think that’s almost a direct result of Sarbanes-Oxley,” he adds.
Some sectors have been more affected by regulatory demands on security than others. In banking, for example, financial institutions are now required to assist law enforcement with detection of money laundering and terrorist financing, and in most cases, the responsibility for suspicious-activity reporting falls with the security group, says P. Kevin Smith, CPP, senior vice president and corporate security director at Chevy Chase Bank.
“The importance of security has been recognized throughout the organization as the result of these changing responsibilities,” says Smith. And that has led to a trend to elevate the chief security position in the financial services industry.
HIPAA is having a similar effect in the healthcare industry. For example, when Magellan Behavioral Health established its first security program in December 2000, it was directly related to HIPAA, though the department is now also helping the company deal with Sarbanes-Oxley and other issues, says Jeriel S. Garland. Garland, who has a background in law enforcement but who also has a degree in computer studies, was hired to fill the CSO position about a year and a half ago.
Garland says he still sees a division between traditional security and IT in many companies and in the minds of many security professionals. That’s a mind-set that has to be overcome by anyone who aspires to the top slot, he says. “If people are going to become CSOs, they have to understand fundamentals in a lot of different disciplines. They don’t have to be able to manipulate a firewall, but they need to know what their people are telling them.”
And in his case, the CSO title is apt. When the program was established, explains Garland, the company “made the decision to put one person in substantial charge of all security activities and designated that person as CSO.”
The position oversees all security activities for the company, including physical, personnel, investigations, and IT. And this year, Garland has the green light to further expand the department’s purview to consolidate the company’s contingency planning and emergency-response efforts.
Right now, he says, that responsibility is fragmented, with pieces in IT, pieces in operations. “It’s a critical function in business today and deserves someone who is a specialist in that,” he says. To achieve that objective, he will be hiring someone to fill a new position of director of disaster recovery and business continuity.
Garland is not alone in being given greater responsibilities. “It seems like we get a new area of responsibility almost on a monthly basis,” says Gordon W. Kettler, executive director of global security for General Motors Corporation since 1990.
His department’s scope includes investigations, crisis management, fire protection, security technology assessment and purchase, contract management, brand protection, VIP protection, global intelligence gathering, loss reporting, and supply chain security.
The security team also shares responsibility for information security. For example, he explains, “We provide the physical security and investigative activity including forensic investigations, and IT provides support.”
Business alignment. Whatever the range of security’s duties, the department’s prime mission always has to align with the company’s. That means being a trusted partner.
“We get brought into the planning process to figure out what’s the best way to go forward with any new service or new product,” says Kettler, and security is asked to assist in the due diligence to determine whether a new location is a good place to buy or build a facility. The bottom line is that “we are part of the equation,” he says.
The company’s attitude toward security may be due in large part to Kettler’s attitude toward the company. Though he has been in the security field for 41 years, working his way up from an entry-level security officer position, and earning a bachelor’s and master’s degree in criminal justice, he says that he thinks of himself as an automobile executive who does security.
“It’s more important to understand the business than to be a standalone security person and be recognized that way in the business,” he says.
Avaya’s Allison concurs, noting that her department’s biggest challenge is “to stay completely aligned with the business.”
That business mind-set is another key component of a model CSO as envisioned by the ASIS guidelines. And it is an ongoing challenge to translate that into concrete actions, because business objectives, like security situations, are constantly in flux.
For example, explains Allison, “we’ve just acquired three companies, the largest one of them being 5,000 people over in Germany. So we’ll have to deal with all the physical security issues of those sites. But we will also have to deal with issues such as: Is this a new technology we’ve brought in? What are its security requirements? How does that fit in with the company?”
Being aligned with the business also means being aware of the financial impact. “I make a strong business case for everything I do,” says Quilter.
At GM, says Kettler, the security department follows the same process as other business units to streamline operations. They call it value-stream mapping or determining what is really needed to run and protect an operation. “That doesn’t mean skimping on it,” he says. “It just means taking waste out.”
Alignment also means taking more of a risk-management approach, analyzing the company’s specific situation to make sure that security resources are cost-effectively deployed. “CSOs are getting much better at risk-management concepts of prioritizing and allocating budgets to where it really protects the assets of the corporation,” says Walker.
Pressure points. Being aligned with the business does not, however, mean kowtowing to executives when it comes to important security precautions. And that can mean taking some heat.
“Of course, everybody will try to second-guess you,” says Allison. She gives one example related to the 2004 Summer Olympics in Greece.
Given the level of concern about a terrorist attack at the time, her department recommended that the CEO not go, and he agreed. Afterwards, when nothing happened, he expressed regrets about having missed a fun event.
“I said it was great on TV, but what I was able to do through the State Department’s Overseas Security Advisory Council was to show him some of the things that they weren’t showing on TV where they had issues with hooligans in the Olympic village, fire bombings, and IED incendiary devices,” Allison says.
She stood by her recommendation, and the CEO was satisfied. You have to have that rapport with the CEO, says Allison, and “you have to know when to go up there; you have to know when to call your shots.”
Ultimately, the successful CSO must adroitly combine being a good business partner with being an independent voice capable of telling executives what they do not want to hear. That takes more than a solid knowledge base.
“Leadership includes taking risk,” says Quilter. “If you don’t have that level of confidence in your own ability, you need to be a manager.... If you are going to lead, know that there’s risk there.”
Sherry L. Harowitz is editor-in-chief of Security Management.