Chief Security Officer: No Magic Bullet - ' Calling in Outside Experts '

Calling in Outside Experts

In the wake of Sept. 11, companies have increasingly called on outside expertise to evaluate their current security procedures and policies. What they have found is that vendors are very much divided between the worlds of physical and electronic security as well.

IBM probably offers the broadest array of technology and services in the field, but it cannot place security guards at a site. Instead, it has forged a partnership with Kroll Inc. of New York to provide physical security.

Risk management firms like Kroll have been called in to such high-profile sites as the Sears Tower in Chicago to evaluate security, but they don't have the resources, for example, to implement a secure online banking application. And a growing list of managed security services providers such as Counterpane Internet Security and Internet Security Systems will offer to protect a company's computer network on an outsourced basis, but have no ambitions to enter the world of physical security.

Mike Hager, chief security officer for OppenheimerFunds, one of the largest mutual fund companies in the U.S. with more than $125 billion in assets, says it often comes down to the best use of resources—both for the vendors and the companies. While Hager's title is chief security officer, he is not responsible for physical security at Oppenheimer, just electronic security. "Quite frankly, I don't want to be the guy responsible for whether the card reader's working on the third floor of a building. That's not a good use of my time."

Conversely, Gene Thompson, vice president of security for the Macerich Co., one of the largest owner/operators of shopping malls in the U.S., has no ambitions to be in charge of the electronic side of the company's business. "That's not my world; my understanding of information security is too limited," says the former Secret Service agent who now works at the Santa Monica, Calif., company.

While the debate may go on for years, there is general agreement on one principle. In the absence of a chief security officer, both the physical and electronic security executives in a company should report to one senior executive.

"The need (for one executive to be responsible) is absolutely there," says Kirk Kness, vice president of application architecture at brokerage T. Rowe Price. "But it doesn't have to be so black and white."

The terrorist attacks against the U.S. on Sept. 11 last year sent many CEOs off to hire a single accountable executive to deal with all cyber and real-world threats to corporate assets: a chief security officer. But the early returns are mixed.

At least half of all major U.S. companies are expected to establish the position of chief security officer in the next seven years.