Headhunters are waxing ecstatic over the six-figure salaries, the number of openings that companies say they have, and the fact that it's a growth area in an otherwise down market. And there's a lot of agreement that corporate security needs to be centralised, at least in some manner. But if it's so hot, why are so few companies actually hiring CSOs?
As you'd expect, part of the issue is that this is all so new. Even companies that agree that corporate security needs attention aren't exactly sure what to do about it. Likewise, companies that plan to hire someone to oversee all of their security needs aren't sure what that person's responsibilities might be.
Traditionally, corporate security officers have been in charge of physical security. The uniformed guards in the lobby reported to them, and they worked on ways to make sure the building was secure against break-ins, fire, and the like. In companies with a large IT function, there was probably also someone in charge of information security. That job was to make sure the company's information and its networks were protected against theft, loss, damage, or corruption.
Two fields overlapping
The problem is that as enterprise computing became more critical, the two fields of security began to overlap. Where do you draw the line when it comes to protecting the data centre, for example? Who is responsible for intrusion detection and prevention? Who guards those open Ethernet jacks in empty cubes, and who makes sure that no one taps into the wireless network from the parking lot? The questions go on.
"Who is responsible for the fingerprint scanners and other biometrics that control access?" asks Tom Turner, vice president of marketing at Okena, an intrusion detection software vendor. Turner says that new technologies are part of the reason companies are turning to new positions that cover broader territory.
You can see the problem. Companies are faced with a new box on the organisation chart, and they aren't sure where it goes. Does the CSO report to the CIO? The COO? The CEO? The board? And who works for the CSO? What's the job description of the CSO and what are the qualifications?
The answers to these questions could dramatically alter the security environment at many companies. A candid assessment of your security staff is needed to determine such issues as whether physical and information security have become intertwined. Could communication between the two security staffs be more effective? Does your company have the ability to do a joint security assessment with the cooperation of your information and physical security staffs?
Your company may be handling its security needs externally, or perhaps you don't think both areas will grow in the immediate future. But there's no question that after the attacks of last year--both physical attacks and cyber attacks--boards are paying close attention. You can expect to be asked about the need for a CSO, so you might as well get ready.
