A Skill Set Beyond Security
Kent's experience at Genzyme is familiar at organizations around the world that have decided to place a top security officer, a CSO or a CISO, to be the key point of responsibility for a company's security. We've seen this position increase in numbers for more than a decade now. But as it has grown, so has the expectation of organizations who are hiring CSOs. As security programs become more robust and sophisticated, so, too, do the expectations of companies who have a top security officer in place. CSOs are now expected to expand their skill set: Those with technical backgrounds must understand facets of regulation, compliance, security and risk beyond the data center. CSOs from a physical security career, such as law enforcement or the military, must also have an understanding of information systems and the threats posed to their organization's data assets beyond just the facilities they are housed in.
It is an evolution that was expected among industry analysts when the first CSO roles began appearing in corporations. Much like how the role of the CIO has changed, it was inevitable that CSOs would have the same experience.
"They, of course, share the same problem that CIOs have traditionally faced," says Paul Saffo, a Stanford University professor, forecaster and essayist with a focus on long-term technological change and its impact on business. "CIOs have been the Rodney Dangerfields of management. 'I don't get any respect,' because their work is so arcane. The other XOs never understood it, or even tried, until recently. CIOs are moving past this stage slowly, but I think the CSOs are still hitting this."
However, while corporate perception of the CSO role is still unfolding, the job has some history to it, and recruiters and hiring managers are becoming savvier about what they want in a security executive, according to Tracy Lenzner, CEO of The Lenzner Group, an executive recruitment firm specializing in security.
"Clients are getting more sophisticated in what they are looking for and what they need," says Lenzner. "Now we are in the second and third generation of these roles. Some companies are looking at these areas for the first time, but, by and large, companies are filling roles for people who had been there previously."
From Techie to Business Executive
In the early days, information security professionals were viewed as two things, according to Steve Katz.
"Highly technical, and the people who consistently said 'no'," he says.
Katz, considered by many to be the first person to hold a chief information security officer position, began to debunk the notions around information security when he was recruited in 1995 by Citicorp (now Citigroup). The company hired Katz after a hacker broke into Citibank' cash management system and siphoned $10 million into his own accounts. Much of the money was not recovered. The theft brought information security to the forefront for Citibank, and the company wanted someone to minimize the risk that such a breach would occur again. Katz's CISO title was created by a board headed by former Citicorp CEO John Reed.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.