Who is a Chief Security Officer? What are the roles and responsibilities of a CSO? What constitute qualifications and experiences of an ideal CSO? Why the growing misconception about the Chief Security Officer in Nigeria? These and other issues will be addressed in this piece within the available space and time.
Chief Security Officer
The Chief Security Officer is the leader of the corporate security functions. These functions include responsibility for overall corporate security strategy, security architecture development, and global function oversight. The scope of this role covers all utilized security technologies and
services, including protection services, loss prevention services, perimeter defenses, physical and logical access control, and profile management of all employees, contractors and visitors. As the company’s senior security officer, this person also has enterprise-level responsibility for all data/information security policies, standards, evaluations, roles, and corporate awareness.
He is the executive responsible for the organization’s entire security posture, both physical and digital. CSOs also frequently own or participate closely in related areas such as business continuity planning, loss prevention and fraud prevention, and privacy.
The CSO works with user and technical groups and Internal Auditors in the development and implementation of a security strategy designed to provide a high level of security over physical facilities and data processing while preserving and enhancing facility and system usability. This person must be able to develop and implement flexible security solutions, dictated by the needs of a hybrid and rapidly evolving decentralized business environment. The individual must be a results-oriented person who can achieve tangible improvements in the corporate security arena. Excellent technical and communications skills are a must, as well as proven security leadership experience.
Functions/Roles of CSO
The Chief Security Officer is responsible for directing the activities of the entire security function. His responsibilities will include to:
1. Work closely with corporate executives, business managers, audit and legal counsel to understand corporate requirements related to security and regulatory compliance, and to
map those requirements to current security projects.
2. Develop, implement, and manage the overall enterprise process for security strategy and associated architecture and engineering standards.
3. Develop and implement policies, standards and guidelines related to corporate security.
4. Oversee the continuous monitoring and protection of facilities, personnel and information
5. Evaluate suspected security breaches and recommend corrective actions (including incidents involving outside vendors).
6. Serve as the enterprise focal point for security incident response planning and execution.
7. Define and implement risk assessment programme, which will define, identify, and classify critical assets, assess threats and vulnerabilities regarding those assets, and implement safeguard recommendations.
8. Assist Internal Audits in the development of appropriate criteria needed to assess the level of new/existing applications and/or technology infrastructure elements for compliance with enterprise security standards.
9. Establish and monitor formal certification programmes regarding enterprise security standards relating to the planned acquisition and/or procurement of new applications or
10. Assist in the review of applications and/or technology environments during the development or acquisitions process to:
a. Assure compliance with corporate security policies and directions and
b. Assist in the overall integration process regarding the company’s
own technology environment.
11. Oversee the development of, and be the enterprise champion of, a corporate security
awareness and training programme.
12. Manage security functions related to corporate information systems or data centers, working closely with the manager of information security.
13. Evaluate changes to the corporate environment for security impact and present findings to top management.
In other words, the CSO is responsible for several functions within the larger corporate set up, including:
a. Leading the operational risk management activities to enhance the value of the company and brand.
b. Overseeing a network of security managers and vendors who safeguard the company’s assets, intellectual property and computer systems, as well as the physical safety of employees and visitors.
c. Identifying protection goals, objectives and metrics consistent with corporate strategic plan.
d. Managing the development and implementation of global security policy, standards, guidelines and procedures to ensure ongoing maintenance of security. Physical protection responsibilities will include asset protection, loss prevention, workplace violence prevention, access control systems, video surveillance, emergency management and more. Information protection responsibilities will include network security architecture, network access and monitoring policies, employee education and awareness, and more.
e. Working with other executives to prioritize security initiatives and spending based on appropriate risk management and/or financial methodology.
f. Maintaining relationships with local, state and federal authorities, law enforcement and other related public and private agencies.
g. Overseeing incident response planning as well as the investigation of security breaches, and assists with disciplinary and legal matters associated with such breaches as necessary.
h. Working with outside consultants as appropriate for independent security audits.
The ideal arrangement is for the Chief Security Officer to report directly to the Chief Executive Officer of the Corporation and serve on all Executive Councils. The CSO should have direct reports including an administrative assistant, the manager of security architecture and engineering, and various other staff as the case might be. The CSO should have dotted line reports including the Manager of Information Security, and the Manager of Internal Audit.
Requisite Qualification/Experience of CSO
A Chief Security Officer must possess at least a bachelor’s degree or equivalent work experience. He must have:
a. Excellent staff management skills;
b. Ability to interface with top management; and
c. At least 7 years of management experience at least five of which were in a security-related area in a leadership capacity.
Unfortunately, these well defined and articulated roles and responsibilities which are as old as the profession and requisite qualification and experience for the position of a CSO are ignored when the search for someone to occupy the position arises. Each time corporate organizations in Nigeria set out to recruit chief security officer (CSO), they advertise their ignorance of corporate security in the process. The core job qualification that is usually demanded from applicants is a mandatory background in military or law enforcement; while other requirements are mere adjuncts.
The thoughtless manner management of corporate organizations, ministries, agencies and departments in the country have made military or law enforcement background a core job requirement for those desiring to be CSOs in their establishments gives the impression that they intend hiring a Commanding Officer who would protect a military facility.
From the foregoing, it is evident that the CSO is a governance position and not a mere tactical position. He ensures the overall security governance of the organization. It is imperative that he understands the fundamentals of all lots of different disciplines.
A CSO must be a savvy person who has a thorough knowledge of the organization and its business. An effective CSO must be a security generalist who is vastly grounded in diverse security systems. He must have hands-on experience in investigation, crisis management, loss prevention, security technology assessment and purchase, brand protection, contract management, executive protection, intelligence gathering, supply chain security, contingency planning and emergency response, among others. He should have a knowledge base to build a consistent and time-tested security programme needed to protect the organization’s critical infrastructure, information and reputation.
An ideal CSO must possess the knack of managing human, tangible and intangible resources; a strong character and competence to interface with top management in setting and implementing security policies. As a member of the corporate executive leadership, his roles must include to mould and shape policy at the boardroom level. A CSO must be a repository of security know-how. Commitment, loyalty, and competence must flow ceaselessly in his veins. Those are the paths a CSO must travel if he is to be an effective protector of his organization’s assets.
It is therefore obvious that the position of a Chief Security Officer is knowledge-driven. And not an automatic job for just any erstwhile uniform-wearing professionals whose core competencies are mainly in defense and law enforcement or a man with wide chest and high shoulders.
It is laughable that corporate organizations that pride itself on hiring highly competent workforce could entrust the security of its human and material (tangible and intangible) assets to corporate security neophyte.
It is also unfortunate that many companies still perceive corporate security mainly as a job of brawn, requiring no brain to perform. Hence, corporate security to these class of organizations revolves mainly around opening and closing gates, watching over car parks, attending to visitors; and the CSO as an errand boy who must be doing the biddings of management at all times.
It is as a result of this warped perception of corporate security that management of most organizations in Nigeria goes for a CSO who has a military or law enforcement background so that he can bring his force-mentality or regimental-command posture to bear on their security set up.
It must be drummed loud and clear that corporate security (also known as industrial security or private security) is not an exclusive domain of retired military, police, and Department of State Services officers. Indeed, they must first make the essential transition both mentally and educationally for them to function effectively in the private security industry.
While we agreed that military and paramilitary background is an added advantage and makes the transition easier and smooth, it by no way equips the individual with the know-how to function as a CSO in a corporate set up.
The truth remains, a good number of these “ex-this” and “ex-that” have little or nothing in terms of requisite experience to transform into corporate security professionals. Besides, many of them never functioned as core operation officers while in service. They rather built their career in other corps or departments such as education, medical, administration, finance, works and so on, which offer less than meager experience to excel in corporate security.
Retired military or law enforcement personnel who intend to forge an illustrious career in corporate security should be prepared to take a plunge in the knowledge ocean of corporate security. After their disengagement from service, they should enroll in higher institutions or join professional institutions that offer courses in corporate security. The Nigerian Institute of Security provides both the professional training and experience in this direction.
Obtaining a degree in criminology does not make anybody a security professional. This is a marked contrast to the false impression created by many corporate organizations in Nigeria that a degree in criminology confers the status of a security expert. The Nigerian Institute of Security recommends that even after acquiring the basic educational qualification and membership of a professional body, aspiring CSOs from the ranks of “ex” should endeavour to work in a top-class private security firm where they can acquire hands-on experience in corporate security systems operation and management.
Another dimension to the problem worth mentioning is the engagement of criminal gang leaders, known cultists and militia leaders as CSOs at all levels of our national stratum which is now in vogue . Ethnic militias and warlords and their followers now constitute the nation’s contract security force and VIP bodyguards – providing Executive Protection? Security jobs now act as means of settlement of and compensation for political supporters; thus further saturating the industry with more quacks and charlatans. In all our villages and towns known terrorists and criminal gang leaders are now celebrated heroes and community CSOs. It is no different in government ministries, departments and agencies. Our palace, town unions and event organizers now engage the services of this category of persons. The price for such acts is already impacting the system negatively. When quacks dominate the security industry of a nation, insecurity prevails. Insecurity has been identified as being responsible for the collapse of numerous viable public and private enterprises in Nigeria. Insecurity is known to have driven the socio-economic life of many communities to an abrupt halt. Insecurity has been fingered in several senseless killings across the country. Change is demanded.
Security is a critical business imperative that requires highly knowledgeable personnel to manage. But, the shallow understanding of this noble profession and its immense enhancement of corporate bottom-line have affected its proper application and appreciation by corporate organizations in Nigeria, as most establishments are contented with relegating security; thus stifling its independence and relevance by placing it under the direct supervision of administration or human resources manager, a non-professional. This had led to the collapse of many promising corporate organizations in Nigeria. A change is necessary now.