In the past, the job of a chief security officer (CSO) was relatively simple. The CSO was primarily responsible for the security of the premises of a company, all of the assets within the building, access to facilities, and the surveillance equipment. In other words, the job was mainly about the physical belongings of a business.
Much has changed, though, with the CSO’s role at present. As computers and the internet play critical roles in the operation of businesses, security officers are no longer focused on protecting tangible properties. Modern-day CSOs need to be well-versed in both physical and cyber security. They must be equally competent in securing both physical and digital assets. In some cases, the latter is even given greater importance.
The growing importance of cybersecurity
A study by the Clark School at the University of Maryland estimates that a hacking attack takes place every 39 seconds. Juniper Research, meanwhile, projects that businesses will lose more than $2 trillion to cybercrime by 2019. Security company Cybersecurity Ventures had a similar study that pegs the cost of cybercrime to rise in 2021 to around $6 trillion per year. All these numbers and details emphasise the fact that securing a business is no longer just about preventing traditional burglars from entering a company’s premises. Through online attacks, thieves can steal cash or valuable information remotely.
Unfortunately, most businesses and organizations are not adequately prepared to address cyber assaults. A study conducted by Ponemon Institute found that 77pc of over 3,600 IT professionals worldwide indicated that they don’t have a consistent cybersecurity incident response plan for their organizations. This is the reason why it takes businesses more than six months to identify and address data breaches.
For some companies, a cyberattack can be significantly worse than a typical burglary. Traditional heists can result in tens of thousands in stolen cash and property, but a hacking incident can entail stolen cash in amounts robbers would impossibly carry out of a building physically. The cyber theft can also target non-cash digital assets that are worth millions or even billions. Worse, the cybercrime does not only result in the losses in property; it can also adversely impact the reputation of a business. It can impair customer trust and discourage new customers from trying the products or services of a company.
In the age of the internet and digitisation, cybersecurity is a must as it correlates with customer trust. Customers are unlikely to have confidence in companies that are incapable of even protecting their websites or ecommerce stores. If they can’t keep their sites up, it’s difficult to believe that they can be competent enough to secure customers’ data, especially their credit/debit card numbers and online banking details.
The need for CSOs with multidisciplinary savviness
Chief security officers need to become competent in addressing different areas that used to rarely or never intersect in the traditional sense of securing a business. These areas represent the changing landscape of threats affecting businesses. These include network and digital asset protection, regulatory compliance and risk management, due diligence, legal actions, as well as medical and psychological needs.
Network and digital asset protection covers the need for measures to protect data stored locally and in the cloud. It should also include a solid plan for detecting, preventing, and remedying instances of economic espionage. This includes intrusion or penetration testing, the evaluation of internal threats, and protocols for addressing and recovering from data breaches.
When it comes to regulatory compliance and risk management, a chief security officer has to study government requirements and develop expertise in the audit process. It’s also a must to have a good grasp of reputation management and business insurance.
Due diligence is about gathering information and taking steps to satisfy requirements and reduce risks. This includes the need to scrutinise transactions and the party the business is transacting with. It also covers the screening of employment applicants and the undertaking of internal investigations. Additionally, it may require the acquisition of geopolitical intel especially when operating in new territories.
CSOs may also be involved in legal concerns as they may be asked to provide litigation support and assistance in regulatory liaison and investigations. They may have to work with the legal department to back remediation efforts involving fraud, financial crimes, and corruption.
Moreover, chief security officers are also faced with the need to work with the human resource department as their inputs may be needed in the medical and psychological concerns of employees. They may encounter cases of workplace violence, mental health problems that result in decreased productivity or abrasiveness with other employees, and the spread of diseases or a possible biochemical terrorist attack.
How CSOs make security a way for building trust
Chief security officers who have the multidisciplinary savviness discussed above contribute greatly in building trust in a business. They are not only working to meet the expectations of their bosses within the company as they secure various aspects of the business. They also serve as pillars in establishing a reputation of dependability for a business. Their success guarantees current and prospective customers that they are dealing with a reliable company capable of offering products and services with consistent quality and uninterrupted supply or availability. They are also directly responsible in ensuring that customers’ personal and banking information are not compromised.
Amanda Fennell, a CSO at Relativity, says that “the modern CSO is a pathfinder and problem-solver for the organisation”. She believes that CSOs must work closely with different teams to develop a multifaceted security programme that can adapt to rapidly changing threats and compliance requirements.
Shawn Burke, CSO at Sungard AS, supports the idea of the growing importance of a chief security officer in a business. For him, the ultimate responsibility is ensuring that the security function provides organisational value. Good CSOs don’t only follow standards and apply the theories they learn, but should ascertain that the security vision, strategy, and specific protocols and programmes they implement provide real benefits as a business encounters increasing amounts of security attacks.
On the other hand, Jimmy Sanders, VP for Information Security at Netflix, says that “my tools can’t block them [referring to developers and other professionals in the company] from the freedom that is a core tenant of Netflix”. It’s an interesting point—being a security officer is not about unilaterally enforcing security rules and schemes. Security should not become a restraint but a tool for advancing progress. This idea is in line with Fennels’s point on being multifaceted and collaborative and Burke’s idea of a security function that has a real value to an organisation.
Business managers, in general, try to cultivate and nurture trust by making sure that they offer quality products and services while ensuring excellent customer service and aftersales care. A chief security officer, in a specific capacity, must diligently study and prepare for new security threats, work with other teams, and make sure that everything he or she does is suitable for the distinct needs of the business they are working for. All of these boil down to the need for a security function that allows businesses to satisfy customers and earn their trust.