JoÅ¡ jedan neobjavljeni Älanak pisan za inozemnu publikaciju. Bavi se problematikom potrebne edukacije, kompenzacije i naÄina regrutiranja funkcije CSO – Chief Security Officer, u hrvatskom korporativnom svijetu poznato kao direktor osiguranja ili direktor sigurnosti (direktor za sigurnost), odnosno, rukovoditelj sigurnosti ili rukovoditelj sigurnosne funkcije.
Education, compensation and CSO establishing criteria
“CSO position is (or at least, should be!) a position of senior leader. Just like in all other such cases, there are significant expectations towards potential candidates in regard to education and experience. High levels of education and certification are expected and highly valued across organizations and they present an element that could enhance candidate’s overall positioning, including informaln one. Usually, CSOs have a degree in law, finance, business administration, security management, IT systems management or criminal forensics. However, every organization has its own roots, customs and development, so CSO profile should reflect all those requests. Important certifications that might improve CSO’s chances are usually in the field of forensics or ICT systems security: ISO 27001:2005 Lead Auditor, CISSP/CISM or EC-Council ethical hacking.
All outlined elements present a significant problem during CSO recruitment. It is possible to hear the same old story all over the world when CSO recruitment becomes the topic: there are no suitable candidates while those that seem to be suitable, overshoot role assigned compensation scale. There are many aspiring candidates and very few those with proven record of practical experience. Furthermore, sometimes CSOs tend to mirror their previous experience. Those who used to deal primarily with physical security try to strongly emphasize physical security procedures, those that were in charge of information security try to tighten logical security. It is a very rare occasion to find candidates in charge of integral security who have the big picture in their minds and curriculum vitae, and even less candidates are available at the labor market through usual channels.
The fact that human resource departments very often do no possess specific skills needed to recruit successful CSOs further aggravates the situation. CSOs are usually not entries in various headhunter candidate databases wither. Additionally, compensation scheme is always an issue. Unless CSO is adequately treated, it is possible to hire somebody who will use his/her position as a comfortable transition to more lucrative job and who will not achieve any security goals or improve security climate within the organization. Some companies attempt to create „hybrid CSOs“ by merging physical security and information security or contract security, public relations and information security, while skipping other important CSO functions and delegating them to business functions without clear top-level coordination. Let’s say it openly: successful CSO story is a story of senior management position and satisfied manager challenged by complex tasks that encompass every part of the business process.
Despite this fact, there are so many titles for the person in charge of integral security as there are large corporations, and almost in all of them, responsibilities and expectations on both sides differ. Very often a person supervising tasks connected with security is a manager, while the same person in another organization is executive director or simply CSO in third organization. Usually, where the perceived levels of overall risks are higher, the compensation scale is also moved to a higher level. However, the organizations are proverbially slow in recognition of CSOs scope of work and consequentially, they are not always able to determine suitable job descriptions or salary scale. Worst of all, CSO is sometimes treated as „additional cost“ when the CSO position is a new opening and security culture is undernourished.
So, this overall situation is not easy, neither for the organizations under pressure to increase their profit margins by ensuring uninterrupted business flow, nor for the potential CSO candidates.
Classic dilemma that the organizations are facing is also inside development vs. external recruitment. Existing candidates are readily available, direct cost of employment is lower, the person already has certain level of visibility within the organization and if such a person is already treated as an expert in his/her field and well respected, he/she could be more easily accepted at his/her new position. However, promoting own resources brings risk of inadequate/lacking knowledge, additional costs of education and certification, and creates a gaping hole in position from where the new CSO comes thus creating problem for the sourcing department.
Introduction of new candidates certainly brings new blood to the company, along with knowledge, certifications and added value, but direct cost of the employment is higher, operationalization time of the new position could be longer because of time needed for selection, recruitment and employment process and new person is usually under stress due to workplace change, so it takes some time to get accomodated to the new organization until the new CSO starts blasting „full speed ahead“. Finally, one of the biggest problems new CSO can face is disruptive behaviour of his/her prospective collaborators that should support him/her, but only see a whistleblower hired to control their work constantly looking for job that was done poorly or that was not done at all and should have been long time ago by respective process owners.
Finding a suitable CSO candidate is not easy job for the organization or very pleasant transition for the candidates. Application of correct framework is crucial in order to achieve the end result: hiring right person for the right job and improving the security climate. However, even the best candidate in the best possible organization will fail unless he/she is given the appropriate level of responsibility and power, right salary, unless the top level of the organization is dedicated towards achievemt of goals of security excellence and if CSO is underpaid compared to his peers. A high level of consensus and trust between CSO and top management is needed to step up to the next level of corporate security – if there is no such consensus, everything else is a hybrid function, partial internal reassignment of resources (human, material, organization or financial) and finally – potentially a lack of time with no real added value.”