Today’s CSO continues to face many of the traditional challenges such as response to crises, management of events, threats to brand reputation, building cyber resilience, supply-chain disruptions / thefts, workplace violence, and executive protection.
What is different today for the CSO is the pace and scale of events. Previously, a significant event would occur on occasion. Now, with the globalization of most companies’ supply and sales channels, a CSO must consistently monitor the organization’s business environment and how to support its requirements cost effectively.
1. The Blending of Digital and Physical Security
Historically, security departments have focused on just physical, not digital, security. In today’s world of the Internet of Things (IoT), the blending of digital with physical security is quickly becoming unavoidable.
I worked in the security industry for several decades; discussion continues around this convergence of physical and digital security roles. While the collaboration and intersection of the roles and responsibilities of a CSO and CISO are increasing, it is still a siloed process to an Enterprise Risk Management (ERM) solution.
With the global, technology-driven business environment today, other key players need to contribute risk mitigation strategies and solutions for their respective companies.
2. Create a Senior Executive Risk Council
I highly recommend the creation of a senior-level risk council and include Internal Audit, CISO, Head of Compliance, Risk Management (insurance), and the CSO. Be proactive, take initiative and the lead – or eventually you will be led in this by someone on the executive team. The mission of this council should be to participate in a dialogue at a senior level on various risk issues, resourcing solutions, and projects.
Generally, these executives would only come together on specific issues or projects rather than meeting on a regular basis. Today, when a problem arises, multiple departments often provide newly-found solutions to their respective executive committee members. Risk owners frequently initiate their solutions, only to find out that other risk owners have already duplicated time, effort, energy, resources, and dollars pursuing similar solutions.
3. Take a Holistic Approach to Risk Management
Organizations need to take a holistic approach to risk management, with various components having defined areas of responsibility.
For example, when the Internal Audit team submits an audit report detailing a risk to the company, who owns the mitigation of that risk? Who participated in the audit? Who is notified of the findings? The senior-level risk council members will not only ameliorate their risk strategies and solutions, they could substantially reduce insurance premiums across several areas through their risk management partner.
Think self-funding solutions. This holistic approach will be a more cost effective and efficient way to address ERM issues today and in the future.
4. Create a Virtual Crisis Response Team
Another area of concern is the notification about, and management of, crises. The old paradigm (that the crisis team would be called up and gather in a crisis room with white boards, monitors, and banks of phones) is obsolete.
In today’s world, based on diverse business location of staff and operations, as well as the mobility of most teams and executives, there usually isn’t time to assemble in a central location.
What is required now is a virtual crisis team, one that is available anywhere, at any time. With advances in technology, we can now manage and respond to crises and coordinate response teams on any device, anywhere in the world.
About Bob Pocica
After 13 years, Bob Pocica recently retired as SVP & CSO at McKesson, a Fortune 6 company and has joinedas a Security Advisory Council member. Bob and Groupdolists’ are counseling the company on various product enhancements, marketing and sales channel strategies, and helping to direct the company as it expands its markets and continues its rapid growth.
To speak with Bob or to arrange a demonstration of Groupdolists, please visit: