An overview of the ASIS CSO Guidelines

Those of you familiar with ASIS International will know that, back in 2001, the organisation established its Commission on Guidelines. One of the early projects identified as being critical to the security industry was the development of the chief security officer (CSO) guidelines – the equivalent grade to a security manager in the UK.

To help with the guidelines’ development, a Working Committee was pulled together comprising 23 senior level corporate security executives representing a broad cross-section of industries. Several of the Committee Members are (or have served) in their organisations as chief security officers.

On this occasion, the guidelines needed to be a forward strategic model for businesses to use in the creation of a position having governance responsibility for identifying and anticipating areas of risk. The person concerned would then set in place a cohesive strategy across all functions to mitigate or reduce these risks.

The model CSO function profile recommends the position provide governance support with respect to security loss issues across several risk areas, including: Human Resources and intellectual assets, ethics and reputation, financial assets, IT systems, transportation, distribution and the supply chain, legal, regulatory and general counsel, physical security and premises security.

A further review of the model will highlight the interdependence between the suggested processes and risk areas. That is to say that each risk area’s security-related potential loss issues are interchangeable among the others, and are subsets of each other. All of the suggested processes are also interwoven within each of the risk areas. By design these are broad topics, allowing for organisations to customise their own CSO programmes.

It was strongly felt that, for the purposes of these guidelines, operational details and issues of direct versus functional ownership need to be decided within individual organisations. These issues will – and should – be based on the company’s culture, business model and organisational structure. The programme must be directly aligned with the full support of the company’s business objectives.

This approach also applies to reporting relationships. We strongly recommend that the CSO reports directly to a senior level executive. That will allow for strong liaison with the Board of Directors and its operating committee.

A clear signal must be sent throughout the organisation of not only senior leadership’s commitment and support for the security function, but also the legitimacy of the security programme/policy itself.