• Lead operational risk management activities to enhance the value of the company and brand.
• Oversee a network of security directors and vendors who safeguard the company's assets, intellectual property and computer systems, as well as the physical safety of employees and visitors.
• Identify protection goals, objectives and metrics consistent with corporate strategic plan.
• Manage the development and implementation of global security policy, standards, guidelines and procedures to ensure ongoing maintenance of security. Physical protection responsibilities will include asset protection, workplace violence prevention, access control systems, video surveillance, and more. Information protection responsibilities will include network security architecture, network access and monitoring policies, employee education and awareness, and more.
• Work with other executives to prioritize security initiatives and spending based on appropriate risk management and/or financial methodology.
• Maintain relationships with local, state and federal law enforcement and other related government agencies.
• Oversee incident response planning as well as the investigation of security breaches, and assist with disciplinary and legal matters associated with such breaches as necessary.
• Work with outside consultants as appropriate for independent security audits.

Qualifications:

• Must be an intelligent, articulate and persuasive leader who can serve as an effective member of the senior management team and who is able to communicate security-related concepts to a broad range of technical and non-technical staff.
• Should have experience with business continuity planning, auditing, and risk management, as well as contract and vendor negotiation.
• Must have strong working knowledge of pertinent law and the law enforcement community.
• Must have a solid understanding of information technology and information security.

Maybe the single-most influential article on CSOonline.com has been What is a CSO? A number of people have helped big companies better understand the role—then create a better-funded and better-managed security function—by forwarding that article to a CEO, a CFO or an HR manager.

Here's a still more advanced way of understanding the CSO role and the business value of risk management.

In the 80s, Harvard business professor and consultant Michael Porter wrote about value chains. A simplified explanation of his theory is this:

Every company tries to build a great sales department. A great marketing department. Efficient financial systems. Excellent manufacturing operations. And because every company tries to make those functions great, it's very hard to get a big competitive advantage that way. Good departments are a basic requirement, likely not a competitive advantage.

The place to build competitive advantage, Porter said, is in how well those departments are connected to each other. Lots of value and speed is lost in passing information and goods between those functions. A company that takes the friction out of those interconnections will be faster, more nimble, better than a company that doesn't have the same fluidity.