The CSO role as many imagined it five years ago would pull all corporate security functions—including safety, asset protection, physical security, information security, business continuity and risk management—together under the purview of a single corporate security executive whose office would be one door down from the CEO's.
For some organizations, that is exactly what the role became. For many, other executive-level positions evolved, ones housed in the IT or facilities departments, with C-level authority and a one-off reporting structure. And for many more, the security director is still the security director, and the organization feels no real need to change that. Converged systems at one level or another have become much more prevalent, but truly converged houses are still hard to find outside the Fortune 500.
It would be folly to suggest that all companies without CSOs are missing the mark. After all, if there was only one way to effectively secure any facility, your professional lives would be much less complicated and I would be out of a job. But convergence in technology and management—whether it's accomplished under a CSO, a CISO and security director, a CSO and CIO, or some other structure—can advance security and improve the business. The secret is to think like a CSO, even if the CSO title and structure aren't in your organization's plans.
What Is the CSO Mindset?
When it comes down to it, a CSO is a business executive. All a CSO's decisions are made with the interests and needs of the business in mind. L.E. Mattice, one of our Top 10 Movers & Shakers in security this year (see page 20), is vice president and CSO of Boston Scientific, a global manufacturer and marketer of medical devices. He has learned the importance of a clear view of business needs from years of experience in both public and private security.
“We focus on what's important to the business,” Mattice said of security at Boston Scientific. “This is the fourth corporation I've been head of security in, and one of the advantages I have, having worked in the electronics industry, the defense intelligence business, and the consumer products business before I got here is that I understand that companies are different, their needs are different based on the kinds of businesses they're in and where they are around the world, and that's given me the ability to focus on a program that understands what the business needs are and that's driven by the need of the business and the risk that the business faces. And then (the program) mitigates things based on a sliding scale relative to where things fall in the continuum of criticality to the business itself.”
A CSO has to know the business to set reasonable protection priorities, just as he or she has to know and understand the concepts of strategic planning, total quality management, and root cause analysis, Mattice continued. “You can't mitigate everything. You have to be able to take a certain amount of risk based on probability analysis and the criticality of what you're dealing with for the company.
“I told them when I came here as a consultant (prior to being hired as CSO), ‘I could give you a 100% guarantee of a security program that you never have to worry about and that will counter every risk that you may ever face, but I'll put you out of business doing it.' So you have to build a program that is affordable, that is based on dealing with risk in a sensible manner.”
Being in centralized control of the entire security function helps this mindset of sensible risk management and business focus play itself out in policy and function. A CSO who has boardroom and CEO access is more likely to be clear on evolving business needs than a security director who isn't in executive-level meetings. A CSO also has more control over how the converged security function is executed because all parties must report to him or her. However, there is a lot a non-CSO can do to behave like a CSO, even with these perceived structural handicaps.