Add “Chief Security Officer” to the list of must-have C-level positions at large corporations. That’s the advice of information security analysts who are telling clients to hire a top executive to oversee their company’s IT security. Slowly, they are seeing companies move in that direction.
Companies began to focus on security even before the Sept. 11 terrorist attacks. But since then some have made serious moves to ensure security of their IT systems by naming a chief security officer or chief information security officer to plan and oversee information security for the entire corporation.
Microsoft named a chief security officer in January to develop strategies to enhance the security of Microsoft products, services and infrastructures. AOL Time Warner created a new chief security officer position in early 2002 to oversee and coordinate AOL Time Warner’s worldwide security policies and operations.
Chief Security Officers’ Pay Varies Widely: CSOs in financial services can expect to earn significantly more than their counterparts in utilities, manufacturing and other fields.
Companies Confront Rising Network Security Threats
Other technology companies, including Oracle, Hewlett-Packard and Exodus Communications, already had chief security officers in place.
But technology companies aren’t the only ones to recognize the need to have one person in charge of security. General Electric has a chief security officer. Management consulting firm Booz Allen Hamilton in January surveyed firms with more than $1 billion dollars in annual revenues and found that 54% of the 72 chief executive officers it surveyed have a chief security officer in place. Ninety percent have been in that position for more than two years.
When there is no chief security officer in place, chief information officers are more likely than other executives to have security responsibilities, the survey found.
In the forefront
Financial institutions led the effort to hire chief security officers more than a year ago. They did so to meet new federal accounting standards to ensure that information systems that were being used to control financial records were secure, says Christian Byrnes, vice president for security programs for market researcher Meta Group. Technology companies followed.
Health care providers will be next as they work to comply with the federal Health Insurance Portability and Accountability Act (HIPAA), which requires that health care providers ensure the security of electronically transferred health records.
One of those providers is Bayshore Community Health Services in Holmdel, N.J. The company has already conducted a security assessment and is working to fix any problems that were found, says Linda Woods, chief information officer and privacy officer. “I think we’re one of the first institutions to have a security assessment,” says Woods, who also acts as chief security officer although she doesn’t carry the title. “A lot of people are saying ‘Let’s wait until the regulations are finalized.’ We wanted to have our assessment done as soon as possible. We wanted to start correcting things if there were any issues.”
Although the chief information officer often times oversees information security, Byrnes and Yankee Group security analyst Matthew Kovar say CIOs have to deal with agendas that can conflict with security. They have to balance the needs of the chief operating officer who wants to save money, along with network administrators who want to guarantee open networks regardless of the need for security.
“The network staff tries to be responsible to the demands from the business side and sometimes those demands are not consistent with both the needs for security and current (IT) architecture,” Byrnes says.
As a result, the company is open to security breaches. “Companies assume things are fine until a catastrophic event or an external reviewer looks through the architecture and finds the flaws,” he says.
Kovar says chief information officers and chief operating officers simply have too much to do and shouldn’t be responsible for ensuring a company’s IT security.
“The solution that they will get to — and it may be willingly or kicking and screaming — is that they need to release some of this responsibility by providing an infrastructure that can address all those needs that are no longer COO or CIO tasks,” Kovar says. “Companies should have a chief security officer. They should be required to have a CSO by the shareholders, the stakeholders.”
CSO shortage expected
The question, then, is where to find a chief security officer. The best ones, Byrnes says, are those who have an information security background. But they also must be familiar with corporate politics and have been in a policy-setting role in the past.
Some chief security officers seek certification as a Certified Information Systems Security Professional (CISSP), which is offered by the Intentional Information Systems Security Certification Consortium. Certified chief security officers earn about $200,000 to $300,000 a year, Byrnes says.
He says about 9,000 people have received a CISSP certificate. However, Meta Group estimates there are about 24,000 chief security officer jobs to be filled.
“We’re not in too bad of shape because of lot of organizations have not tried to create the SCO position yet,” Byrnes says. “As the trend continues, we’ll have more of a shortage and that will drive salaries higher.”
Freelance writer Cynthia Flash covers business and technology from Bellevue, Wash. She can be reached at [email protected].