Metropolitan Life Insurance CSO Robert Cordier answers readers' questions about security recruiting. Q: How do you determine "appropriate" levels of security--levels that have a direct impact on the amount of budget you're given? Information security, as a profession, seems to be grappling with this question more than ever.
A: Since 9/11, in my opinion, most corporations have appropriately augmented security-related budgets with generous enhancements to upgrade security measures. Determining the appropriate level of security is most effectively done by taking a holistic view of the enterprise. First, there should be a security template to identify policies, procedures and installations of equipment and technology for consistent application throughout all facilities. While not all budgets will provide for the immediate enhancement of all facilities to this threshold level of security, an analysis and prioritization of security upgrades across an enterprise will allow for a phased implementation of these security enhancements.
To identify components that require security upgrades, a comprehensive security questionnaire can provide a ranking of the most crucial and sensitive operations. From this ranking, immediate and more concerted security enhancements can be targeted with minimal impact on the security budget.
Onsite security reviews and inspections of facilities or lines of business is mandatory by the security component. Where possible, this function could be contracted to reputable security consultants for independent review.
To complement these processes, the implementation of an effective crisis management initiative, involving representatives from all business functions and operations, is effective in establishing policies that enhance the security program throughout the corporation. The crisis management process can justify budget enhancements to those who might otherwise be ignorant as to the need or value of certain security expenditures.
Q: I am a recruiter working with executives looking for senior opportunities in physical security. Most of our clients are searching for security executives who are skilled in information security. What is your opinion of the CSO role? Is the ideal candidate a physical security guru, an information security executive or a combination of both?
A: The CSO is an executive-level position with responsibility for the maximum coordination and integration of security protocols, procedures and policies within a corporate structure. All security departments have a mission with three goals: 1. provide for the safety and security of all employees, 2. protect and maintain all corporate facilities and the physical assets and property, and 3. ensure the security and continued preservation of all corporate information, research, and proprietary data and the technology that supports it.
To implement a corporatewide security program and advance this security mission, it is imperative that a CSO be a leader and manager who understands the critical importance of blending tradition and technology into today's security arena. Although it might be desirable to have a CSO who is steeped in both physical security and information security, I believe it is more important for the CSO to be an individual with depth and experience in management who is also complemented with a comfortable level and awareness of both the physical security and information security platforms.
Thus, if recruiters are looking for the appropriate criteria for the CSO position, it would be prudent to establish a threshold for depth and accomplishment within the leadership and management categories. The selection matrix would thereafter include a preference category where appropriate weight should be afforded to candidates with discernible skill and experience within the physical and information security disciplines. The weight or percentage afforded to either discipline should be tilted toward those candidates whose knowledge, experience and skill level are most consistently aligned with the primary security responsibilities of the client corporation.
Recruiters should understand that competent security executives will lead and manage their security programs in a manner that is inclusive of the talents and expertise necessary to accomplish their mission and not be fractured by a single-minded perspective. -- CSO (US)
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.