Global 1000 Companies Should Hire a Chief Security Officer by the End of 2005
By Matthew Kovar, Tech Update
October 16, 2003

Trend Overview
As businesses move more mission-critical business processes and applications to IPl networks and use the Internet to communicate with suppliers, partners and customers, security has become a concern. C-level executives, including CEO, CFO, CIO, CTO and COO, are increasingly burdened with the strategic and tactical decisions, all the while maximizing shareholder value. These responsibilities, however, conflict with the enterprise’s increasing security requirements.

Trend Impact
Security is no longer a network-only issue; it’s integrated into CRM, supply chain, portal and extranet software. Security budgets are increasing by 25–50% annually. But the budgets are not being spent wisely or with any leverage at a corporate level.

Bottom Line
Enterprise Recommendations
Other C-level executives should support the CSO position. Their interests and our recommended actions, summarized in Exhibit 1, are as follows:

Exhibit 1
Corporate Management Responsibilities for Security
Source: the Yankee Group, 2002

  • The CEO’s primary responsibility is the strategy and direction of the business. He or she is also responsible for business development and the image of the company, and is the ultimate proponent of shareholder value. Security should be a concern but CEOs usually have a dozen other things in line ahead of it. Security is ultimately not a differentiator for the business. To execute the security vision, a CSO must have the ultimate support and full confidence of the CEO to wield the security stick.
  • The paramount issue for the CFO is controlling costs. CFOs are not supporters of visions of robust, feature-rich and flexible architectures. Their reason is simple—they cost too much. The CSO must make the CFO understand that centralization of the security vision and spending will ultimately save money. The CSO must also initiate a Net Security Risk (NSR) exercise to calculate the financial risk of avoiding security spending.
  • The CIO keeps the business systems up and running. CIOs are already battling with the CFO for system budgets. In the wake of that battle, security is squeezed as a “nice to have.” The CSO must gain the support of the CIO so that technology teams cooperate with the unified security vision. For the CSO to succeed, the CIO must make it clear to the IT professionals that security is a part of all technology and a critical part of their jobs; failing to take this into consideration will lead to immediate termination.
  • The CTO establishes the technology direction of the company. It is this C’s vision and ability to understand diverse business requirements and the technologies on the market. The challenge is to fuse these into a technology strategy. The CTO, however, should not be in charge of the daily operational responsibilities of the business and should not be tasked with security operations among other technology decisions. The CTO should be a big proponent of future technologies that may not be consistent with existing applications. The CTO can help the CSO make the other C-level executives understand why these new paradigms are critical to the success of the organization.
  • The COO is the battlefield commander responsible for the day-to-day operations of the company. He or she is responsible for tactical implementation of all business directives. Security adds an additional step to all other business and operational life cycles and thus requires more time, more people and more money, all of which are not central to the COO’s charter. The CSO must leverage the COO’s operational control to make the daily support of security procedures a part of the organization’s daily routines.
  • The CSO is responsible for physical and technology security. There have always been legal and business reasons to secure the physical infrastructure. Now there are personal privacy regulations in financial services and health care that make it a legal obligation to secure online information as well. The CSO’s challenge is to create a vertical security organization that understands all of the aspects of networks, hardware, software, applications and data. The CSO must then communicate this vision across all departments and business units.
Level Responsibility Security Conflict
CEO Strategy and growth of the business Security is not a differentiator nor does it provide a competitive advantage
CFO Control Costs Battling with CIO over systems expenditures--security budget is squeezed
CIO Business systems Limited budget that must be allocated by business requirements, which hardly ever include security
CTO Technology direction Limited daily operational responsibility
COO Tactical implementation Security extends the business life cycle and diverts resources from revenue-generating activities
CSO Secure the business Provides a vertical and horizontal strategy

The Yankee Group originally published this article on 10 October 2002

More from Yankee Group
View more research at yankeegroup.com