The evolving role of the chief security officer
Originally published in the 'Safeguarding Our Security' CSO Online Forum
It wasn’t so long ago that a Chief Security Officer’s (CSO) job was relatively straightforward: secure the premises by focusing on facility access, guard services, and camera surveillance. Yet today, a CSO’s organizational mandate is anything but simple – he or she is now charged with mitigating an array of interdisciplinary and intersecting risks across the enterprise.
Remote access to buildings, interconnected air handling units, and remotely monitored vending machines all provide potential new entry points for threat actors. Emerging regulations, such as SEC Rule 206(4)-4, also compound the pressure on CSOs to address the complexity of this risk landscape and integrate new mitigation strategies and tactics into traditional physical security processes.
In effect, the CSO’s role is evolving into a mission-critical service that spans risk areas ranging from data protection and vendor due diligence to regulatory requirements for business continuity and compliance management.
Addressing the Changing Threat Landscape
Today’s CSOs are charged with managing risks spanning five multidisciplinary areas that have not traditionally intersected with the narrow scope of safety and security:
1. Cyber and Information: Includes identification and policy development to mitigate threats, vulnerabilities, and risk associated with data protection, intrusion testing, data breach and recovery, economic espionage, and internal threat assessment and privacy.
2. Legal and Regulatory: Includes policy development and resource procurement for litigation support, regulatory liaison and investigation, and remediation efforts related to financial crimes, fraud and corruption, and whistleblower litigation.
3. Diligence, Business and Geopolitical Intel: Includes policy development and resource procurement for transactional diligence, commercial diligence and intelligence, employment screening, internal investigations, and geopolitical risk assessment.
4. Governance, Risk and Compliance: Includes policy and procedure development and execution around audit expertise, risk, insurance, and reputation management.
5. Medical and Psychological: Includes policy and program development around employee counseling, crisis intervention, employee productivity, and workplace violence.
Four Pillars of Protection
In order to manage the responsibilities associated with these risks, CSOs can prioritize their strategic objectives and tactical actions using the following framework:
1. People: CSOs must identify and acquire key personnel to support the development and growth of their corporate security department. All relevant employees must be trained in security and safety initiatives and be able to implement communications plans. Further, all employees must be trained and encouraged to identify safety and security concerns and provide feedback. CSOs must also identify preferred vendors and partners to support in-house efforts to respond to changing risk environments.
2. Process: CSOs must prioritize the development of emergency action plans and identify gaps in their incident response protocols. CSOs must review their policies relative to industry best practices for programs such as pre-employment and vendor screening.
3. Technology: CSOs can employ technology solutions and security systems to assist decision-makers in better utilizing the critical information and resources at their disposal.
4. Property: CSOs should develop an internal physical security survey that assesses levels of security awareness, emergency preparedness, and compliance with established policies and procedures to inform specific initiatives for protecting locations and occupants. This survey will assist in identifying gaps and developing crisis communications and business continuity plans.
Three Steps for Better Leveraging the CSO
At the organizational level, the CSO is an integral stakeholder. Too often, however, the CSO is overlooked, under-resourced, and underutilized. Below are three steps that companies can take to better leverage this critical resource:
1. Ensure CSOs have the resources they need. CSOs often grapple with the need to demonstrate repeatedly the ROI of increased security costs. Resource and budgetary constraints can limit a CSO’s ability to effectively hire security staff and invest in new tools, but these shouldn’t force a trade-off between managing risk and scaling resources in an increasingly complex world.
2. Provide CSOs access to relevant information and expertise. To succeed in this expanded role, CSOs will need access to information that helps them to identify risks that can adversely affect the safety of personnel or the security of facilities. CSOs will also need the authority to engage with individuals at all levels of the organization and the ability to go outside of the organization to find expertise when needed. By analyzing information and coordinating activities with both internal and external stakeholders, a CSO can better ensure that his/her company is prepared for the possibility of a security incident.
3. Focus on long-term, developing threats. Organizations traditionally tend to prioritize current risks over longer-term, developing threats. For example, prevention programs for workplace violence and employee monitoring for pre- attack behaviors often take a back seat to promoting basic internal security awareness. The focus on short-term risks can limit a CSO’s ability to understand what resources might be required in the future. Today’s strategic-level CSOs adopt a longer-term view to anticipate emerging threats and to implement proactive mitigation measures that decrease the likelihood and impact of future incidents.
The Bottom Line
At the organization level, companies should empower CSOs so they can play a more strategic part in overall enterprise risk management plans. By leveraging their CSOs’ experience, knowledge, and relationships in advance, organizations can facilitate more holistic and proactive planning. And CSOs can use the framework of “people, process, technology, and property” to prioritize identifying and remediating vulnerabilities arising from new cyber and information security concerns, emerging legal and regulatory requirements, geopolitical threats, governance and compliance obligations, and the medical and psychological well-being of employees. By harmonizing both organizational and CSO objectives, companies can strengthen their enterprise security posture, implement processes necessary to address threats, and realize gains in both the bottom line and overall business efficiency.