Home>Security>Cyber Crime>Industrial security - October 2018

Industrial security - October 2018

16 September 2018

For many people the role of the chief security officer or director of security is seen as a pinnacle within the security profession, but what is it, how do you get there and do you really want to? Mike Hurst provides the answers.

ONE DEFINITION is that the chief security office (CSO) is the employee responsible for the physical security of a company, including its communication and business systems, protecting, people, assets, infrastructure and technology. The role of the chief information security office (CISO) has many similarities and in some cases can be combined, but for the purposes of this article, I am focussing on the CSO.

We probably also need to consider some of the areas that a CSO could be responsibility for.  These include but are not necessarily limited to:

Physical Security


Executive Protection

Insider Threat


Intellectual Property Protection

Security Awareness

Duty of Care

Lone Worker

Cyber / Information Security

Counter Terrorism

Loss Prevention

Brand Protection

Risk Management


Supply Chain / Logistics

Security Services

Travel Risk

Many, if not all, large organisations will split these roles, so you may have a director of investigations or director of loss prevention each of who may report into a CSO or into another C-Suite position and often they are quite independent of each other.  

So, how can CSOs possibly know about all these areas? Well, they do not have to. They will almost certainly have a high level of expertise in one of more of these, but as with many senior positions, it is often a question of having the skills and experience to identify areas of concern or where action is needed and then taking advice from or delegating tasks to people who have the specific skills.  

You need to be know what you know but also know what you do not know. A security department in an enterprise is there to help facilitate the running of that enterprise, in the same way that HR, legal, marketing departments do and the person running that department needs to be a good manager and a goad leader. There is in fact a case that says the CSO need not have security experience. I know of several global CSOs who come from no security backgrounds such as audit, compliance, legal or have moved in senior security positions straight from non-security related, military or Police roles.

The reporting structure is also very varied. There will be some examples of a CSO sitting on the main board of an organisation but more often they will report in via a range of possible routes, although, it is hoped or recommended that the security function is at a high level within an organisation.

Possible Reporting Lines

Chief Executive Officer

Chief Operating Officer

Chief Risk Officer

Chief Information Officer

Chief Information Security Manager

Human Resources

Chief Financial Officer

Head of Legal

Head of Property / FM

There is research to support the belief, rightly or wrongly, that security professionals often lack the business management skills needed at the very top level of an organisation.


So what qualifications should a CSO have? As you would expect, the requirement is for a mix of skills, experience and qualifications, but it would not be unreasonable to see these professionals holding a Master’s level degree in the same way that the CFO or Head of Procurement may well do.  Also, some formal security qualification or certification such as the ASIS CPP® or for a CISO the CISSP from (ISC)2. Specialist courses in Risk, Counter Terrorism, Management or even Finance are also not unusual. A background in the military or law enforcement is common, but not essential.

You would probably expect a senior security professional to have a trusted network of peers.  Sometimes these are informal, but there are a number of membership organisation that a CSO may be part of.  Three that spring to mind are:

The Security Institute (predominately UK) and ASIS International (UK and global) both welcome members at all levels.

The correct career path is a tricky one as there is not really a clear career path in the same way that there in for other professions. I would encourage people to get qualified / certified, join associations, build a personal trusted network or peers and mentors, be aware of industry trends and developments that may lead to opportunities and think carefully about career moves.

Just remember that the security profession is a wide a diverse one and there are many opportunities to forge an interesting, fulfilling and rewarding career.

Mike Hurst CPP® is Vice Chairman of the UK Chapter of ASIS International and a member of its European Advisory Council and Leadership and Management Practices Council. For more information, visit www.asis.org.uk