Online security is obviously a pressing issue for any company big or small. There are constant threats to your security. GE’s CIO says her networks face up to “eight million scans a day from terrorists looking for vulnerability in their computer system.”
That’s why GE has a chief security officer. Maybe it’s time to consider if your firm needs one. Let’s look at the issue.
Rona Borre, CEO of Instant Alliance, an IT talent management firm, says chief security officers, also known as chief information security officers take ownership of a company’s entire security footprint. That includes such things as continuity planning (if your whole operation collapses), loss and fraud prevention, and privacy. The latter is probably the most important.
As she points out in a blog post, “They prioritize security agendas, and communicate with all departments to ensure operations run smoothly.” It’s become an increasingly important position that works in conjunction with the CIO.
Jason Deign, a European tech writer, has some good insights on how to hire a chief security officer. In a blog post on the Cisco web site, he says to throw out what you thought about what makes the best candidate. Past definitions aren’t going to work well in this constantly evolving field.
He writes, “… trends such as BYOD, [bring your own devices] mobility, andcloud computing have blurred the boundaries between corporate networks and the outside world. That means new skills are needed to protect company systems and data.”
It’s also worth sharing a comment to his blog post when considering the right person for a chief security officer position. Kevin Bloch, Cisco’s CTO, asked an audience once the purpose of a car’s brakes. The typical answer is to stop a car. Bloch said it’s not. They are there to enable a car to be driven faster and more safely – but stopping it when necessary. As the commenter said, So network security should not be about restricting network use, network security is about enabling the network to work as fast, as efficiently, and as safely as possible.”
That means your chief security officer is going to need to be someone who doesn’t apply the brakes automatically and stop your company’s progress. They’re going to have to focus on what makes your company’s networks function at top capacity so as not to restrict growth.
Borre says in her post that a chief security officer needs to have at least a bachelor’s degree in business or computing. She suggests a master’s degree is preferred along with the requisite background in information technology. More than education and leadership experience, a good chief security officer candidate is also going to need experience specific to the field they will be working in.
This is especially important in the healthcare and insurance industries, Borre says. It’s difficult to get up-to-speed otherwise because of the particular nuances of those fields. One size does not fit all when it comes to security.
Deign points out that a good chief security officer is also going to need to be a good communicator. That position requires working across an entire organization and talking in a language the non-technical can understand. He also says, much like Borre suggests, that chief security officers need to be broad thinkers. They need a global view of where the threats are coming from – and they’re obviously launching from all parts of the globe.
Borre raises another good point about chief security officers. They need to be mentally nimble. She says, “Because a CSO has to work against and with modern technology, they need to be creative and able to think on their feet.”
Look first at internal candidates when hiring a chief security officer because they already speak your organization’s language. Make sure candidates are good communicators, too. They obviously need leadership experience to be effective because they will be working with fellow leaders.
So, what’s this going to cost you? According to Borre, a survey by CSO Online found that security-decision makers earned around $179,600 in 2014. Obviously you’ll need to structure compensation appropriate to your organization and the demands of the position.