Rise of the Chief Security Officer

Add “Chief Security Officer” to the list of must-have C-level positions at large corporations. That’s the advice of information security analysts who are telling clients to hire a top executive to oversee their company’s IT security. Slowly, they are seeing companies move in that direction.

Companies began to focus on security even before the Sept. 11 terrorist attacks. But since then some have made serious moves to ensure security of their IT systems by naming a chief security officer or chief information security officer to plan and oversee information security for the entire corporation.

Microsoft named a chief security officer in January to develop strategies to enhance the security of Microsoft products, services and infrastructures. AOL Time Warner created a new chief security officer position in early 2002 to oversee and coordinate AOL Time Warner’s worldwide security policies and operations.

Other technology companies, including Oracle, Hewlett-Packard and Exodus Communications, already had chief security officers in place.

But technology companies aren’t the only ones to recognize the need to have one person in charge of security. General Electric has a chief security officer. Management consulting firm Booz Allen Hamilton in January surveyed firms with more than $1 billion dollars in annual revenues and found that 54% of the 72 chief executive officers it surveyed have a chief security officer in place. Ninety percent have been in that position for more than two years.

When there is no chief security officer in place, chief information officers are more likely than other executives to have security responsibilities, the survey found.

In the forefront

Financial institutions led the effort to hire chief security officers more than a year ago. They did so to meet new federal accounting standards to ensure that information systems that were being used to control financial records were secure, says Christian Byrnes, vice president for security programs for market researcher Meta Group. Technology companies followed.

Health care providers will be next as they work to comply with the federal Health Insurance Portability and Accountability Act (HIPAA), which requires that health care providers ensure the security of electronically transferred health records.

One of those providers is Bayshore Community Health Services in Holmdel, N.J. The company has already conducted a security assessment and is working to fix any problems that were found, says Linda Woods, chief information officer and privacy officer. “I think we’re one of the first institutions to have a security assessment,” says Woods, who also acts as chief security officer although she doesn’t carry the title. “A lot of people are saying ‘Let’s wait until the regulations are finalized.’ We wanted to have our assessment done as soon as possible. We wanted to start correcting things if there were any issues.”

Although the chief information officer often times oversees information security, Byrnes and Yankee Group security analyst Matthew Kovar say CIOs have to deal with agendas that can conflict with security. They have to balance the needs of the chief operating officer who wants to save money, along with network administrators who want to guarantee open networks regardless of the need for security.

“The network staff tries to be responsible to the demands from the business side and sometimes those demands are not consistent with both the needs for security and current (IT) architecture,” Byrnes says.

As a result, the company is open to security breaches. “Companies assume things are fine until a catastrophic event or an external reviewer looks through the architecture and finds the flaws,” he says.

Kovar says chief information officers and chief operating officers simply have too much to do and shouldn’t be responsible for ensuring a company’s IT security.

“The solution that they will get to — and it may be willingly or kicking and screaming — is that they need to release some of this responsibility by providing an infrastructure that can address all those needs that are no longer COO or CIO tasks,” Kovar says. “Companies should have a chief security officer. They should be required to have a CSO by the shareholders, the stakeholders.”

CSO shortage expected

The question, then, is where to find a chief security officer. The best ones, Byrnes says, are those who have an information security background. But they also must be familiar with corporate politics and have been in a policy-setting role in the past.
Some chief security officers seek certification as a Certified Information Systems Security Professional (CISSP), which is offered by the Intentional Information Systems Security Certification Consortium. Certified chief security officers earn about $200,000 to $300,000 a year, Byrnes says.

He says about 9,000 people have received a CISSP certificate. However, Meta Group estimates there are about 24,000 chief security officer jobs to be filled.

“We’re not in too bad of shape because of lot of organizations have not tried to create the SCO position yet,” Byrnes says. “As the trend continues, we’ll have more of a shortage and that will drive salaries higher.”

Freelance writer Cynthia Flash covers business and technology from Bellevue, Wash. She can be reached at cynthia@flashmediaservices.com.

RELATED NEWS AND ANALYSIS

• Huawei’s AI Update: Things Are Moving Faster Than We Think

  FEATURE |  By Rob Enderle,
  December 04, 2020

• Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 18, 2020

• Key Trends in Chatbots and RPA

  FEATURE |  By Guest Author,
  November 10, 2020

• Top 10 AIOps Companies

  FEATURE |  By Samuel Greengard,
  November 05, 2020

• What is Text Analysis?

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 02, 2020

• How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 29, 2020

• Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 23, 2020

• The Super Moderator, or How IBM Project Debater Could Save Social Media

  FEATURE |  By Rob Enderle,
  October 16, 2020

• Top 10 Chatbot Platforms

  FEATURE |  By Cynthia Harvey,
  October 07, 2020

• Finding a Career Path in AI

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  October 05, 2020

• CIOs Discuss the Promise of AI and Data Science

  FEATURE |  By Guest Author,
  September 25, 2020

• Microsoft Is Building An AI Product That Could Predict The Future

  FEATURE |  By Rob Enderle,
  September 25, 2020

• Top 10 Machine Learning Companies 2020

  FEATURE |  By Cynthia Harvey,
  September 22, 2020

• NVIDIA and ARM: Massively Changing The AI Landscape

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  September 18, 2020

• Continuous Intelligence: Expert Discussion [Video and Podcast]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 14, 2020

• Artificial Intelligence: Governance and Ethics [Video]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 13, 2020

• IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI

  FEATURE |  By Rob Enderle,
  September 11, 2020

• Artificial Intelligence: Perception vs. Reality

  FEATURE |  By James Maguire,
  September 09, 2020

• Anticipating The Coming Wave Of AI Enhanced PCs

  FEATURE |  By Rob Enderle,
  September 05, 2020

• The Critical Nature Of IBM’s NLP (Natural Language Processing) Effort

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  August 14, 2020