Alta Associates
Specialists in executive recruitment for over 20 years.
8 Bartles Corner Road, Flemington, NJ 08822 • P: 908.806.8442 • info@altaassociates.com
Expert Advice
Joyce Brocaglia is the executive career advisor for CSO magazine. The following questions and answers are featured on CSO's online magazine (www.csoonline.com).
Back to Expert Advice Question List
How can you convince corporate management of the importance of having a CSO? Federal laws such as Gramm-Leach-Bliley and HIPAA have not been helpful because they don't come out and state in clear language that a CSO is needed. I am in a director position and have been given the daunting task of managing corporate information security, yet, I can't get staff nor does management believe I should be reporting outside of the IT department. In fact, I don't even answer to the CIO, I answer one level below him.
Based on the information you have provided regarding your current employer, it appears that information security is viewed by your organization as just another technical problem that needs to be solved. The daunting task you face is not the management of an information security program, but rather the challenge of raising senior management’s awareness. Security is a business problem with technical components, not a technical problem. The key is to present the need for a CSO as a part of a business solution. Your success will depend greatly on your access to influential senior management, and your ability to build a convincing business case. The role of a chief security officer is as an architect who can develop a comprehensive program that will add value to the corporation while safeguarding its assets and reputation.
If you are unable to convey this message directly to the executive management team, here are a few suggestions that will enable you to establish a business case and evangelize the need for a security officer.
Have vulnerability assessments performed by an independent professional firm. This will provide an overall appraisal of the security level of your organization. It will identify areas of your company that require the implementation of stronger security controls. The pressing need for a CSO may be evident based on the severity of the evaluation. If they will not allow you to retain an external firm for this process, you can download the internationally recognized security standard ISO 17799 (for about $150) and perform the assessment yourself.
Meet with your internal and external auditors. Collaborate with them on security and control issues. Their reports are presented to senior management. We have performed numerous CSO searches that originated from a need identified in an audit report. Step outside your technical role and interact with your business managers. Understand their needs and tolerance for risk. Work with them as an internal consultant to add value to a current project. If you can get a “win” with one business manager he/she will recommend you to other business units. This will create momentum and elevate awareness.
Finally you must recognize the fact that some organizations may not see the value of a dedicated CSO. If your career goal is to achieve that role, you may have to look elsewhere.