A knowledge of information security risk management is just one of the many skills a chief security officer needs for crafting, influencing and directing an effective organisation-wide protection strategy, according to guidelines from a group of security professionals.
Increasingly, the job also calls for an understanding of issues as diverse as emergency preparedness, crisis management and response, physical security, disaster recovery, as well as privacy and regulatory matters.
The guidelines were released by ASIS International, a 33,000-member group of security professionals.
"There's been a lot of discussion on the need for organisations to create a centralised governance function for many areas of risk," said Jerry Brennan, president of Security Management Resources.
The guidelines are the result of an attempt to give a formal definition of the scope, responsibilities for reporting relationships and experience needed to do the job.
"There wasn't much available that addressed the pulling together, from a governance perspective, of all of the areas of security risk that an organisation faces," Brennan said. "So we decided to try and craft a document that would be broad-based and truly represent what the CSO position would be in an organisation."
The ASIS guidelines come at a time when a growing number of security professionals say there needs to be a top-level management position to oversee all aspects of operational risk.
"I have always found it preposterous to suggest that there are separate disciplines that require separate management" when it comes to operational security, said Dennis Treece, director of corporate security at the Massachusetts Port Authority in Boston.
For example, installing a privacy officer who is separate from the rest of the security team only "fragments the effort and ensures that the physical and virtual aspects of privacy have to be laboriously co-ordinated", he said. The same is true when it comes to having separate chief information security officer and CSO functions.
"Having been both separately and now both at the same time, I can state with confidence that combining them makes the most sense," Treece said.
Even so, security professionals agree that only a relatively small number of companies have created a formal CSO function because of the substantial political and organisational challenges that need to be overcome in doing so.
The popular notion of the CSO being the person in charge solely of IT and physical security functions has also limited the effectiveness of the role, said David W Stacy, global IT security director at St Jude Medical, a US manufacturer of medical equipment.
"I prefer the concept of the chief risk officer that encompasses these two areas," while also including other functions such as privacy, risk insurance and regulatory compliance, Stacy said.
"So, moving to a CSO model that only deals with IT security and physical security may be a logical first step to eventually getting to a CRO model," he added. "But even having a CSO would be a revolution, as opposed to an evolution, in many organisations."
Some security professionals have trouble with the concept of having an all-encompassing role. For one thing, "there is a huge difference between the practice of physical security management and information security management," said Eddie Schwartz, chief technology officer at Securevision consultancy.
"While both disciplines have the use of technology as a common element, the background and education of the practitioners are distinct."
There's also the danger of rolling far too many functions under the CSO umbrella, Schwartz said.
"It's an unnatural organisation of activities and doomed to failure in most organisations."
Jaikumar Vijayan writes for Computerworld