The life span of corporate chief security officers (CSOs) is increasing, with the average stay about 36 months, up from 24 months just a few years ago.
"Now we're getting business-background guys, and they're lasting a lot longer," says John Pironti, the chief information risk strategist for Getronics who ran a CSO Bootcamp at Interop Las Vegas this week and was in charge of the security-education track for the business technology show.
But the job is still one where the new person comes in, shakes things up, inevitably causes some bad feelings and when a better security culture has been started, moves along, he says.
The position of CSO was invented as a response to specific security failures at businesses in an effort to tighten up defences, and they were largely chosen from the ranks of the IT staff.
"The first generation was ex-techies," he said. They were suited to put out the immediate fire that demanded the creation of the job, but not to create self-sustaining work environments that made security a priority - skills that many of the ex-techies lacked.
Even with business skills, these new CSOs have a limited life span because they shake things up so much that politically, their days become numbered, he said. "They spend 24 months getting up and running and 12 months advocating for their next job," Pironti said.
Part of the politics comes from the need to influence all people in IT, not just the security team, to make security a priority, said Jim Routh, the CSO of US financial services provider, Depository Trust Clearing. "You have to depend on other people to do certain things to protect data," Routh said.
He recommends bringing in consultants to audit the business's security and delivering an assessment that the CSO and the rest of IT can act on. This can take some of the onus off the CSO for being critical of the organisation.
Then it is time to educate staff about better security practices. "The prime responsibility of a CSO is to influence others' behaviour," Routh said. "Education is the most strategic tool to a CSO. It's even better than a firewall."
Even so, whipping an organisation into shape can require head-cracking. Routh says within two years at his first CSO job, 40% of his staff turned over, not because they were bad at their jobs but because they didn't share his ideas on what needed to be done.
"You need outside support and you need new blood," Routh says. "New employees have a naïveté. They actually believe they can change things."
He encourages CSOs to identify stakeholders in organisations whose cooperation is key, then analyse whether they are advocates of heightened security awareness or blockers of it. For instance, server managers may regard their jobs as setting up applications on machines so they run well. Adding concern about securing those applications might seem outside their realm and that is a problem, Routh says.
Getting high-ranking business executives to publicly endorse the CSO's goals is important to bring reluctant employees in line. If employees can't be persuaded to get onboard, it may be necessary to enlist their boss to force them, added Routh.
"If there's a vulnerability in your environment and you expose it to a management level of your organisation and the appropriate response doesn't happen, you have to reveal that information to the next level of management," he said.
It is also important to identify key performance indicators that will show that security weaknesses are being addressed and to assign individuals to be in charge of delivering on them, Routh says. That assignment of responsibility will encourage staff to engage the security plan without having to exercise muscle, he said.
Once a CSO's plan is in place, it often becomes necessary to move on to another job, Pironti adds, because CSOs tend to constantly seek new challenges. But it is important to leave a business in good hands when the CSO moves on. "Identify your successor or group of possible successors early on and groom them," he said.