In-depth interviews with 390 executives from
Fortune 1000 companies have highlighted the gap between companies that
talk about enhancing their security and those that are actually prepared
to do something about it. The interviews conducted by Christian & Timbers
executive search firm shows that while 95% of the executives interviewed
said that their companies should seriously consider hiring a Chief Security
Officer (CSO), only 25% are truly ready to do so. And only 8% have launched
searches to fill the position. Interviewing on this subject began on September
17, 2001.
Marc D. Lewis, Managing Director and Head of the Corporate
Information Technology Practice at Christian & Timbers, explained that
part of the problem is that most companies have not sorted out their needs
for both physical security and information security. “While a majority
of companies know if they have experienced a physical security crisis,
breach or intrusion, such as a break-in, many companies don’t know
if they have experienced serious information security intrusions, such
as a theft from a computer hacker. Therefore, the CSOs that are hired
focus on physical security issues and that may not be where the focus
needs to be,” he said. Moreover, he noted, “Physical security
and information security involve two different skill sets and it is almost
impossible to find candidates for CSO positions who have backgrounds in
both physical security and information security. Rather than hiring a
CSO dealing with physical security and a CSO dealing with information
security, the question at many companies is which background is most important.”
Lewis noted several companies that are serious about
their security needs and ready to integrate a CSO into their corporate
structure at the highest levels. “First of all,” Lewis noted,
“the company should have a documented security strategy and plan
that evidences its understanding of security risks, and envisions programs
to mitigate or eliminate those risks. In addition, a company should have
a well developed privacy policy that is linked with its security policies—for
both physical and information security.”
Another critical sign that a company understands security
issues is the amount of money it is willing to devote to them. “Typically,
IT security accounts for between one and five percent of the IT infrastructure
budget, with percentages near the higher end of the range being more attainable
for larger companies,” commented Lewis. These percentages can vary
and are typically higher in technology, financial and other services companies,
including transportation.
Finally, Lewis observed that one of the best indicators
that a company is serious about security matters is the reporting structure
it develops for a CSO. “The ideal situation is when a CSO reports
to either the CEO or COO, although CSOs focusing on information security
can be effective reporting to a CIO. In smaller companies, the CSO is
usually a ’doer,’ while in larger enterprises, he or she must
be equally effective as an integrator. Plus, in the larger company, the
CSO must be the visionary and evangelize the importance of proper security
policies and procedures to enhance ROI, ” he concluded.
For additional information on Christian & Timbers,
visit www.ctnet.com
|
