Firms Beef Up Job of Security

Digital Evolution Inc. of Santa Monica already had a chief technology officer and plenty of security experts. What the Web services company lacked was a point person on security.

Or as the man ultimately hired for the job remarked, clients wanted “one neck to choke.”

Erick Herring was hired in August 2001 as chief security officer, a title that hardly existed two years ago. It’s an increasingly popular job title, particularly with chief executives showing more interest in security after the Sept. 11 attacks.

“Senior executives, say CEOs, would call in the head of [information technology] security and the head of physical security into his office and say, ‘Are we prepared?’ ” said Giga Information Group analyst Steve Hunt. “And the two guys had never met.”

High-profile chief security officer hires over the last year have occurred at companies such as AOL Time Warner Inc. and Sun Microsystems, while a CSO Magazine debuts this month.

Executive search firms also are paying attention. Christian & Timbers wasn’t recruiting any CSOs a few years ago; now it does five or six a year.

But that doesn’t mean all of corporate America is running out to hire a CSO.

Many companies aren’t so sure they need one--or even what the bearer of the title is supposed to be doing.

Chief security officers mean different things to different companies. Some handle physical security, some secure company networks from hackers. Others, such as Herring, focus mostly on making sure products are secure. Some do all three.

Companies are wrestling with tough questions:

Should one person handle physical and computer security? Should the CSO push security at any price or find the most efficient solution? Where does the job fit in the corporate hierarchy?

Christian Byrnes of the research firm META Group says only about 30% of companies have the equivalent of a chief security officer, with only about 5% of them combining physical and information security under a single person.

Larger companies are particularly cautious.

When Christian & Timbers surveyed 390 executives at Fortune 1000 companies in April, 95% said they needed to hire a CSO but only 25% were ready to hire and 8% had begun recruiting.

Hunt says even the Sept. 11 effect was minimal. Although some companies created the CSO title, for many the job already existed under a different name so the CSO had little new power.

“The organizations were quick to get someone in place, but they may not have had the power they need to effect change,” said Ray Wagner, research director at Gartner.

Often, CSOs don’t work out.

“Life spans of 12 to 24 months are not uncommon,” says Gary Lynch, who held top information security jobs at Prudential and Chase Manhattan and is now a consultant at Booz Allen Hamilton.

“They become overwhelmed with operational issues and never get to strategic issues.”

Growth projections for the job vary by sector. Giga estimates that most software companies will have CSOs by 2009, up from 20% next year. But in retail, the number is projected to grow to only 10%, up from 3%.

Many companies are waiting to see how the first wave of CSOs fare.

Others have simply decided that an all-encompassing CSO doesn’t make sense for them.

When Microsoft Corp. CSO Howard Schmidt, who had a military and law enforcement background, left to work at the White House, replacement Scott Charney was given the title of chief security strategist.

Charney oversees security for Microsoft products and talks to the industry and government about security. But the company’s physical security is now handled separately.

Experts say it may not make sense to incorporate physical security--of a company’s buildings and employees, for instance--and computer security into one job. That’s especially true for companies that hire a law enforcement veteran with little computer experience for a job encompassing both.

Still, security needs depend on the industry. For a high-tech manufacturer, for instance, protecting plants from snoopers is akin to protecting intellectual property on a computer.

And in large companies, the job is more a political one. The CSO can rely on staff for technical advice.

Another problem is that too many CSOs understand security, but not the overall business.

Part of a CSO’s job should be to strike a balance.

At Digital Evolution, Herring says he knows companies where the security people throw up too many firewalls, shutting down the company’s systems too often.

“The people who are in security say, ‘That’s tough. That’s the price of security,’ ” he said.

Eric Pulier, Digital Evolution’s CEO, acknowledges that hiring a CSO meant some cultural changes in the office. Employees were used to reaching consensus decisions about security.

Pulier still welcomes their feedback, but says the company needed a single, strong voice.