New CSO Challenges: Data, Visibility, Knowledge

Where should the new CSO focus their attention, and which choices will have the most significant impact?

Joe Crampton
Chief Product Officer, Resolver
June 17, 2021 · READ

As a  senior  leader steps into a new role in a new organization,  they will ask themselves a few common questions: Where  should I  invest resources? What should  I  improve  now, and what can wait? Chief Security Officers  are no different. Their decisions will have  a significant  impact on  the organization’s culture and effectiveness.  

New Roles, New Questions

Like  risk  and  compliance,  the security function  provides a service to the whole business: they empower the business to move faster. They are there to make sure the  company  achieves its objectives. So,  where  should the new CSO focus their  attention, and  which choices will  have the most significant impact?

I recently spoke with Jill; a  CSO hired to implement a global security function for a  multinational.  We  talked  about her role  and the  challenges  she faced stepping into a new organization.    Jill  and her organization have chosen to remain anonymous, but the issues she  experienced are  pervasive,  and many security leaders  face  similar problems.  

We Only Know What People Happen to Remember    

Jill  quickly  realized that her new company lacked a history of serious incidents, investigations,  and  other  essential  data. She told me:  I  wanted  to assess the security risks at different plants and distribution centers,  but  the only way to find the history of the site was to ask  HR. We  only have  the data that  people can remember.”    

The most critical aspect of maintaining data about recent incidents is to make sure everything is clearly and efficiently organized. Jill said that her company “didn’t have an up-to-date database for new and sensitive investigations. There wasn’t a single system for keeping track of how any situation was handled by legal, security, or HR. We had scattered Word documents in different folders, and that’s no way to run things.”  

Jill is  correct  to be concerned. She  wants to build a mature security function and help the business achieve its strategic objectives, but she can’t do that without the data. What will drive measurable improvements? Should she implement new cameras or an access control system?  Which  policies and procedures need her attention? If she doesn’t have the proper data, there’s no way for her to know which of her decisions will have the  most significant  impact.  

What Are You Missing?  

Resolver’s Corporate Security  software  helps  collect all of this data and organize it so that Jill and  her team  have  immediate  access  to the information they need. The  information  is clear, transparent, and easy to find so that they can make  informed  decisions. When  an organization starts using Resolver, they  typically  see an increase in the number of incidents in the first year.  Why do you think this is? Now that  incidents are  consistently  and efficiently  logged,  the  accurate  data is  visible for the first time.  

Two recent case studies highlight how organizations used Resolver’s incident reporting portal to  build a data-driven approach to security  and  gain full visibility into all security incidents.    

Collaboration That Respects Privacy  

Jill  commented  that  in order for her team  to  make the right decisions,  she needed  context about the individuals involved. She needed to see records of how legal, security,  and  HR had engaged with  that  employee in the past. Jill told me that there are “certain things HR doesn’t need to share with me”¦but knowing that someone had an allegation of sexual harassment  is  critical  when evaluating  an incident involving a manager and a female employee in the parking  lot”.  

Employee information sharing  is  challenging  for  multinationals.  We have offices around the world, and the employee  behavior  and culture at each location can be very different.”  Every  location has its own norms; for instance, an employee showing up with a gun in their vehicle might be common in some  places, less so, or even unheard of  in others.  The documentation of that event and the response may be quite different  depending on the location. The decision of whether to share that data with other teams may also vary.  

Jill’s final  note  on employees was  is  that  it  should be easy for people to  report incidents, complaints, and risk events  without  guessing  where the reports should go. Everything needs to be efficient,  and the chain of information needs to be easy to use for everyone involved.  

Making an Impact

I  spoke  to  a  colleague, Jack Miller,    who works closely with CSOs, VPs,  and Directors of Security, and he echoed this concern. “The first two challenges for a security executive looking to build up a mature security function are Policy Writing and Standardization. Policy  Writing  is mostly about establishing what policies are in place and who they need to work with to get  sign-off  and enterprise buy-in.  Standardization  is about the challenge of identifying and bringing together all the various systems and contracts that are in place at each location.” Think back to our new CSO above; each  of those global offices  is likely to have different guard forces, access control systems, video systems, alarms, and more.    

The main challenge for the new security executive,  whether they are already a  CSO, or trying to grow to that role, is to be able to  make an impact  in  the organization.   Their job is to empower the business to move faster  by  managing  security risks. Their job means spending money, often large sums, to protect their people and assets. The hard part of their job is  identifying  which investments will make the  most significant  impact and  proving it to the rest of the organization  with data.      

Want to learn more about Resolver's software for corporate security professionals? Request Your Demo Now