Examining the CSO-CEO relationship

A key relationship in any organization with an effective security strategy is that between the CSO and the CEO, who must work together to ensure that security investments are mapped to the changing risk landscape. Network World President and Editorial Director John Gallant asked BT Radianz Acting CEO Laurie Bowen and CSO Lloyd Hession, via e-mail, to discuss how they handle this challenge at the financial-services industry connectivity provider. Hession and BT Radianz CFO Larry Kinsella are scheduled to share their thoughts on stage at The Security Standard conference, which takes place in Boston on Sept. 6 and 7. For details about the event, see >>.

I want to explore your working relationship and how you sync up on the risks facing the company and how to manage those risks. Let's start by talking about what you expect from one another at a fundamental level.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

A key relationship in any organization with an effective security strategy is that between the CSO and the CEO, who must work together to ensure that security investments are mapped to the changing risk landscape. Network World President and Editorial Director John Gallant asked BT Radianz Acting CEO Laurie Bowen and CSO Lloyd Hession, via e-mail, to discuss how they handle this challenge at the financial-services industry connectivity provider. Hession and BT Radianz CFO Larry Kinsella are scheduled to share their thoughts on stage at The Security Standard conference, which takes place in Boston on Sept. 6 and 7. For details about the event, see >>.

I want to explore your working relationship and how you sync up on the risks facing the company and how to manage those risks. Let's start by talking about what you expect from one another at a fundamental level.

When it's time to bring in the feds

Bowen: Our customers trust our services to be high performance, reliable and secure. I look to Lloyd and his team to set and implement an effective strategy for managing risks that could otherwise negatively impact our ability to meet those expectations.

Hession: I have been very fortunate at BT Radianz in that security is an integral part of what we do and a major component of our value proposition to our customers. Everyone in the organization understands that, which makes my job a lot easier.

Ultimately, business decisions come down to a risk/return trade-off, which the management team must make. My team's part in that process has two phases, first the analytical: identifying, quantifying and presenting the risk issues to management; then the second phase, working with the business units to mitigate, assign or accept those risks. The critical skill in this pragmatic approach is being able to deliver within the constraints of time and resources.

To be successful as CSO in our environment, one does not need direct control; it is much more of an influencing role. Fundamentally, such a role needs a prominent position in the organization and the full support of the chief executive, both of which I enjoy.

How has the CEO-CSO relationship evolved over time at BT Radianz. How have you become more effective at securing the company?

Hession: I joined BT Radianz as CSO shortly after the company was founded in June 2000. In those six years our business has grown by over 60% a year, during which time we adapted and aligned our organizational structure to meet our goals. My relationship with the CEO evolved much in the same way as our business matured.

In the beginning, I was focused on managing security risks that could cause contractual liability and impact [service-level agreements]. The CEO wanted to know that we could manage the risks of the very demanding contractual terms being requested by some of our customers. These major contracts had board-level visibility, and so did the risks. Over time we developed more formal processes based on utilizing a risk register and associated methodology with a quarterly review. As business grew, and we developed our product and services portfolio, the emphasis of my relationship with the CEO shifted to focus more on business development opportunities. Our conversations focused more on our customers' needs to manage risk and security, and the type of additional capabilities we could build to assist them with those challenges.