Calling in Outside Experts

By Baselinemag  |  Posted 2002-09-16

While most companies interviewed by Baseline say there has been a heightened focus on security and a review of measures in place, chief security officers (CSOs) still remain a rare breed. What's more, some early pioneers are embattled.

PDF DownloadSeveral high-profile security chiefs have lost their jobs or been reassigned in recent months. For example, Michael Young, chief information security officer at State Street Global Advisors in Boston, lost his position in a company reshuffling in April. Fidelity Investments' vice president of infrastructure and risk management, Michael Moulton, was dismissed last December, and Steve Katz, the high-profile chief security and privacy officer at Merrill Lynch, accepted a buyout.

Those in the industry say a debate over who should be responsible for security within an organization, and to whom that executive should report, undoubtedly causes much of the turmoil.

"You're seeing the organizational frictions that have always been in place coming to a head," says Lloyd Hession, chief security officer for Radianz, a New York-based company that operates a private trading network handling transactions between many of the world's largest brokerage houses. "Companies that brought in a CSO after 9/11 thought it would sort out their internal security issues. What it really did was highlight the conflicts that exist."

CSOs Rise Despite Conflicts

Giga Information Group, a Cambridge, Mass., consulting firm, estimates that fewer than 10% of large companies had adopted the role of a chief security officer prior to Sept. 11. Penetration was strongest in the financial services and software sectors, but practically nonexistent in most other sectors. While Giga agrees that internal conflicts will hamper the adoption of corporate CSOs, it still believes that by the end of the decade close to 50% of companies will have such designated executives. Financial services, utilities and software will again lead the way.

Chief areas of conflict center around which side of the business the chief security officer comes from—the physical security side of the business, or the information technology side of the business—and to whom he or she reports. Should the chief security officer report directly to the CEO, the chief financial officer, chief operating officer or chief information officer?

Not surprisingly, the answer depends on the expert you talk to, that person's background in security, and the business the person's now in.

"Physical security and information security are separate practices; I don't believe they should be the responsibility of one executive," says Robert Justus, vice president of systems and contingency planning for Union Bank of California.

Following Sept. 11, executives with the San Francisco-based bank re-evaluated security policies and procedures, and management structure. Union Bank has one executive in charge of physical security and Justus heads up the electronic side. In the end, the bank decided not to appoint a chief security officer.

"The skill sets involved in the hiring and placing of security guards are very different than those in protecting a computer network," says Justus. "That being said, we do meet regularly and have to coordinate our efforts on the investigations end."

Calling in Outside Experts

In the wake of Sept. 11, companies have increasingly called on outside expertise to evaluate their current security procedures and policies. What they have found is that vendors are very much divided between the worlds of physical and electronic security as well.

IBM probably offers the broadest array of technology and services in the field, but it cannot place security guards at a site. Instead, it has forged a partnership with Kroll Inc. of New York to provide physical security.

Risk management firms like Kroll have been called in to such high-profile sites as the Sears Tower in Chicago to evaluate security, but they don't have the resources, for example, to implement a secure online banking application. And a growing list of managed security services providers such as Counterpane Internet Security and Internet Security Systems will offer to protect a company's computer network on an outsourced basis, but have no ambitions to enter the world of physical security.

Mike Hager, chief security officer for OppenheimerFunds, one of the largest mutual fund companies in the U.S. with more than $125 billion in assets, says it often comes down to the best use of resources—both for the vendors and the companies. While Hager's title is chief security officer, he is not responsible for physical security at Oppenheimer, just electronic security. "Quite frankly, I don't want to be the guy responsible for whether the card reader's working on the third floor of a building. That's not a good use of my time."

Conversely, Gene Thompson, vice president of security for the Macerich Co., one of the largest owner/operators of shopping malls in the U.S., has no ambitions to be in charge of the electronic side of the company's business. "That's not my world; my understanding of information security is too limited," says the former Secret Service agent who now works at the Santa Monica, Calif., company.

While the debate may go on for years, there is general agreement on one principle. In the absence of a chief security officer, both the physical and electronic security executives in a company should report to one senior executive.

"The need (for one executive to be responsible) is absolutely there," says Kirk Kness, vice president of application architecture at brokerage T. Rowe Price. "But it doesn't have to be so black and white."

The terrorist attacks against the U.S. on Sept. 11 last year sent many CEOs off to hire a single accountable executive to deal with all cyber and real-world threats to corporate assets: a chief security officer. But the early returns are mixed.

At least half of all major U.S. companies are expected to establish the position of chief security officer in the next seven years.