The logical progression for a CSO could be to become a CDO (Chief Data Officer).
Technology decision makers in enterprises are often at a loss when it comes to quantifying strong business benefits accruing from their roles. They are unable to strongly position and portray themselves as business enablers. The challenge is even more pronounced in the case of the CSO (Chief Security Officer).
While an enterprise information security practitioner is implicitly a business enabler, he does so through a control function. Theoretically, the primary objective of a CSO is security and compliance, which he enables by putting certain controls in the organization.
For instance, a CSO can leverage open source instead of entailing capital expenditure on proprietary software, thereby saving money for his enterprise. By saving costs, he is beyond doubt enabling business. But since he is not directly helping in generating sales or increasing revenues, it becomes tough for the management to view him as a business enabler.
While a security leader can change this view, it is a lengthy and tiresome route, which hinges on education and attitude. Both these are long-drawn processes. Besides, the more enterprising go-getters among the CSOs may not want to fight this battle. So where does it leave an enterprise security decision maker? The average of a CSO is between 40-50 years. They still have several productive years left in them. Does this then mean that they have reached a glass ceiling?
The answer is both yes and no. Yes, they have reached a glass ceiling because from here they can’t go on to become a CRO. The CRO portfolio needs someone with a finance background as it deals with market, fraud, and currency with Information Security being just one of the areas. The position typically demands a CA or a CFA. It is next to impossible to become a CIO or CMO.
The logical progression for a CSO could be to become a CDO (Chief Data Officer). There is no conflict of interest in this profile. In addition to handling the security portfolio, the CSO can take on this additional responsibility. So, in addition to securing corporate data, as a CDO, he will also manage data. Being the custodian of critical data, a CDO will make it explicitly clear that the company’s data will not be shared or exposed to anyone. He won’t be allowing any direct access to data but would be analyzing it to provide actionable insights.
A CDO not only saves cost but also generates revenues. He provides analytics to business unit heads, helps the applications and infrastructure teams by managing data and applies Business Intelligence for MIS. By applying BI and analytics to data, a CDO can provide market segmentation for the sales team. He can also give cost analysis for IT, admin and marketing departments. These put him firmly at the forefront when it comes to business enablement. He helps them in their strategizing and aids their day-to-day work.
While this could be an easier way for a CSO’s transformation, it certainly won’t be a cakewalk. The CSO will need to build skill set and knowledge. He will not only need to know a lot more about business but also enhance his technology skills (in terms of database management etc). At the end, however, it would be worth the effort.