The lifespan of corporate CSOs is increasing, with the average stay about 36 months, up from 24 months just a few years ago, attendees of CSO Bootcamp at Interop Las Vegas were told.
"Now we're getting business-background guys, and they're lasting a lot longer," says John Pironti, the chief information risk strategist for Getronics who ran the bootcamp and was in charge of the education track for the show.
But the job is still one where the new person comes in, shakes things up, inevitably causes some bad feelings, and when a better security culture has been started, moves along, he says.
The position of CSO was invented as a response to specific security failures at businesses in an effort to tighten up defences, and they were largely chosen from the ranks of the IT staff.
"The first generation was ex-techies," he says. They were suited to put out the immediate fire that demanded the creation of the job, but not to create self-sustaining work environments that made security a priority — skills that many of the ex-techies lacked.
Even with business skills, these new CSOs have a limited lifespan because they shake things up so much that politically, their days become numbered, he says. "They spend 24 months getting up and running and 12 months advocating for their next job," Pironti says.
Part of the politics comes from the need to influence all people in IT, not just the security team, to make security a priority, says Jim Routh, the CSO of Depository Trust Clearing. "You have to depend on other people to do certain things to protect data," Routh says.
He recommends bringing in consultants to audit the business's security and delivering an assessment that the CSO and the rest of IT can act on. This can take some of the onus off the CSO for being critical of the organization.
Then it is time to educate staff about better security practices. "The prime responsibility of a CSO is to influence others' behaviour," Routh says. "Education is the most strategic tool to a CSO. It's even better than a firewall."
Even so, whipping an organization into shape can require head-cracking. Routh says within two years at his first CSO job, 40 percent of his staff turned over, not because they were bad at their jobs but because they didn't share his ideas on what needed to be done.
"You need outside support and you need new blood," Routh says. "New employees have a naivete. They actually believe they can change things."
He encourages CSOs to identify stakeholders in organizations whose cooperation is key, then analyze whether they are advocates of heightened security awareness or blockers of it. For instance, server managers may regard their jobs as setting up applications on machines so they run well. Adding concern about securing those applications might seem outside their realm, and that is a problem, Routh says.
Getting high-ranking business executives to publicly endorse the CSO's goals is important to bring reluctant employees in line, he says. If employees can't be persuaded to get on board, it may be necessary to enlist their boss to force them, he says.
"If there's a vulnerability in your environment and you expose it to a management level of your organization and the appropriate response doesn't happen, you have to reveal that information to the next level of management," he says.
It is also important to identify key performance indicators that will show that security weaknesses are being addressed and to assign individuals to be in charge of delivering on them, Routh says. That assignment of responsibility will encourage staff to engage the security plan without having to exercise muscle, he says.
Once a CSO's plan is in place, it often becomes necessary to move on to another job, Pironti says, because CSOs tend to constantly seek new challenges. But it is important to leave a business in good hands when the CSO moves on, he says.
"Identify your successor or group of possible successors early on and groom them," he says.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.