FRAMINGHAM (03/15/2004) - Has someone been reading my mail?
I found myself wondering that as I surfed my bookmarked security sites the other day. I landed on the ASIS International homepage. Posted within the site was the organization's proposed "Chief Security Officer Guideline" (www.asisonline.org/guidelines/guidelines.htm). I couldn't wait to check out what others thought I should be doing in this job.
I was caught short by a summary of the CSO position that described almost exactly my own situation. "Traditionally, what has previously been lacking is a single position at the senior governance level having the responsibility for crafting, influencing and directing an organizationwide protection strategy. In many organizations, accountability is dispersed, possibly among several managers in different departments, with potentially conflicting objectives."
I guess I should find some solace in the fact that ASIS sees my situation as "traditional." But it shouldn't offer any comfort to my company's managers. When it comes to dispersed accountability, I'd bet my company holds some sort of a patent.
All this got me thinking. Who exactly are the stakeholders in the security mission at my company? Legal counsel has investigations and, along with internal audit, is getting in the mix as a result of Sarbanes-Oxley. HR owns background investigations (how's that for a conflict of interest?), but the purchasing department does due diligence examinations. The treasurer has several insurance programs that affect security capabilities. Facilities runs property protection, employing a contract guard force and outsourcing physical security systems to a hardware vendor. As the director of security here, I work for the CIO, who covers information security, business resumption planning and security monitoring functions. Recently, our ethics office established the position of compliance officer with some as-yet-undefined business integrity responsibilities.
But what about someone who is accountable for an organizationwide protection strategy? Nope. Nada. Nein. I guess someone at the top figures that having all that under one chiefdom would require a license to kill.
This balkanized approach to security is likely to remain the traditional model of the typical org chart for a while. While "ownership" is not essential, strategic accountability and effective influence are. What's missing in most companies is the concept of an organizational vision and voice for the protection mission.
The issues of risk and accountability clearly are interrelated. I depend on my facilities contacts to make sure we have a set of defensible physical perimeters around our critical business processes. But I will also tell you that I have damn little confidence that the contract security guard -- who seems to change every few weeks -- will know what to do if he's the first to respond to something that goes bump in the night. The last one I spoke to barely speaks English. This is a qualified first responder? In addition, we have major elements of our technical infrastructure outsourced and offsite, and I haven't a clue what sort of due diligence was done on those companies.
The so-called culture around here is geared to spread accountability, and frankly, I probably shouldn't complain. I mean, if something hits the fan someday, we can all point to someone else and explain that it was on his watch. But it also begs the question: What does it mean that my strategy is so limited?
Report card for a CSO
In its "Model Profile of a Chief Security Officer Function," the ASIS Guideline does a terrific job of putting forth an overview of the risks faced by businesses today. It offers an inventory of potential protection processes and services, and it describes the skill sets posed for the model CSO. For the latter, I went down the list and tried to honestly grade myself.
RELATIONSHIP MANAGER. "Develops, influences and nurtures trust-based relationships with business unit leaders, government officials and professional organizations. Acts as a consultant to organizational clients." You bet. Can't get to first base without this one.
EXECUTIVE MANAGER AND LEADER. "Builds, motivates and leads a professional team attuned to organizational culture, responsive to business needs and committed to integrity and excellence." I try my best to lead and be a model to my people, and integrity goes without saying. But we have yet to clearly articulate standards for this core expectation.
CREATIVE PROBLEM-SOLVER. "Aids competitiveness and adds value by enabling the organization to engage in business processes in high-risk situations. Be a positive change agent on behalf of organizational protection." I'll give myself an A on this one. My safeguards have made us more reliable and secure for our customers, and that has given us an edge on the competition.
SUBJECT-MATTER EXPERT. "Provides technical expertise appropriate to knowledge of risk and the cost-effective delivery of essential security services." I'm extremely confident about this one, and my peers would support that assessment. But technologies are changing so fast that it's a difficult challenge.
GOVERNANCE TEAM MEMBER. "Provides intellectual leadership and active support to the organization's governance team to ensure risks are made known to senior management and the board." Hmmm. I've never thought of myself as a part of the governance "team." I don't sense that we have one and wonder what we're missing as a result. Maybe it says something about my future influence skills?
RISK MANAGER. "Identifies, analyzes and communicates on business- and security-related risks to the organization." Within my current space, I'd better be -- or adios, amigo.
STRATEGIST. "Develops global security strategy keyed to likely risks and in collaboration with the organization's stakeholders." I do security strategy for my part of the risk profile, but my piece is a small part of the whole. Who is overseeing the entire security risk picture? If we're all looking through a limited lens, what is out there beyond our individual perspectives? This requirement puts the need for a CSO in flashing neon lights.
I know a number of my colleagues claim the title of CSO, but I have to acknowledge that we have nothing remotely resembling a CSO here, and we are more at risk because of it. Call it what you will, but we need to get our act together and find a way to see this risk landscape in its entirety rather than in isolated, noncollaborated slices.
I've got a mélange of associates here each working their corner of the street, but I don't see a first among equals. And our CIO has no appetite for anyone making a "power play" to try to organize a security council or a more integrated oversight of global security issues.
So what if we were to run a risk scenario drill to see how well we are prepared. I mean prepared for something we really hadn't considered or when tested against a plan scenario found to be significantly deficient? Without this at least annual step, we are all in trouble.
It was scary to acknowledge how much we didn't know about our individual capabilities and limitations.
Most of you would likely be able to give chapter and verse on the outcome of such an exercise: In theory, we have in-depth crisis management plans in place for any potential cyberattack if it were to occur, and we've created some comprehensive business interruption plans, which I coordinate. Have we considered the real array of possibilities? Have I effectively included the concerns of my colleagues in this protective envelope? What is the significance of our lack of real dialogue among staff members to convey expectations in the event of a truly disastrous event? We have no integrated plans in place to link essential elements of response. No practice in tapping into the capabilities in the heat of the moment. No organized way to contact key individuals. No adequately trained resources. And poor escalation processes to senior managers unprepared for unanticipated events. In short, we would almost certainly guarantee a situation where one hand didn't know what the other might be doing.
I chatted over lunch one day about just such a scenario with my infrastructure peers. But we didn't expose our shortcomings to the top. We limited it to a tabletop exercise that we followed up with a number of where-do-we-go-from-here sessions. Call it "enlightened self-interest." It was scary to acknowledge how much we didn't know about our individual capabilities and limitations, how much we lived within our own silos, how much risk this limited focus caused our organization.
Reading the ASIS Guideline has significantly increased my appreciation for improving the links with my peers. We have shared its contents and acknowledged that our collective benefit will be served by sharing information on a variety of issues, by holding quarterly risk oversight reviews, by developing integrated incident-response plans, by having key employees in each group serve on mini-issue committees to identify areas of collaboration, by interviewing new hires in each group, and by assigning our high-potential employees to short-term assignments in various groups.
I'm not sure yet if this dialogue and collaboration will continue, but even if it doesn't, I'm already convinced that our company is going to be far better prepared and protected than it was before the ASIS Guideline made its way over the Internet to my desk. I've had either the foresight or the stupidity to share this with my corporate "teammates" to enable forthright conversation among peers. Hope springs eternal, but this document has already served to stimulate change and create a semblance of at least a collective chief security officer, and who knows where it will go from here?