Q&A: The Future CSO
Print Issue: July 2018
CSO roles are becoming more prevalent in corporations while evolving to address security challenges. Scott Klososky, founding partner of Future Point of View, shares how.
Q. What do you think the CSO role will look like in five years?
A. The CSO role will have complete responsibility for integrated security across physical, electronic, and cyber. CSOs will report directly to the board in many cases and will have a long list of specific dangers they are charged with preventing. They will be responsible for things like stopping employee theft of data, preventing employees from giving up passwords or compromising systems, and drone defense. They will be heavily involved in the organization's risk management system and will have a say in the insurance that is purchased to offset risk in specific threat areas. Another responsibility will be providing personal protection and intelligence in regard to travel for senior executives, board members, and their families. That will include social media scrubbing for the company, as well as for senior executives and board members.
Q. What will the reporting structure to CSOs look like in the future?
A. CSOs will have a VP of cyber, VP of physical, and VP of electronic security reporting to them. They will have specific people who are dedicated to the three different areas of security: the company, access control and surveillance systems, and cybersecurity. They will also be more closely aligned with HR because the human firewall is becoming such a problem. There is no way to protect an organization properly if the CSO does not have control over all aspects of security defense. Today, it is broken up across organizations and is too far removed from HR to be completely effective. The threats we are defending against will require this level of integration and collaboration.
Q. Will the dynamic between security and the rest of the organization shift?
A. To do security well, the CSO will have to develop strong collaboration with HR, IT, and operations. Then the CSO will have to participate in areas like risk and insurance. I see a future where a strong CSO is well-known and well-liked by all leadership. The CSO will be involved in lots of departmental meetings across the organization to determine new threat vectors and to build the relationships necessary to put up a solid defense. Today, CSOs can hide behind the scenes, and that needs to stop. They need to be out front with relationships across the organization, so they are looked at as a necessary element in the strategy of the organization.
Q. What about smaller businesses and organizations? How will they keep pace with emerging security threats?
A. There is only one real answer and that is to use contractors and vendors. Small and medium-sized organizations cannot pay for a full-time CSO in many cases, yet they need a smaller version of an integrated security model. They can rent the talent for a price they can afford by using local and regional security firms who are used to dealing with smaller clients. I suspect that security firms will build processes and systems to better handle these customers, so they are not left out in the cold.