"Within our business unit, I have the full support of senior leadership and the CIO to go get done what I have to get done in order to get us compliant" with parent company GE's security requirements, Beeson says. What he doesn't have the authority to do, he says, is make broad policy decisions that go beyond the confines of GE's overall security strategy.
The way GE is organized, the parent company has its own security department and leadership, as does its GE Capital unit and GE Capital Americas. The parent company and GE Capital each have CISO councils, of which Beeson is a member.
As a member, Beeson can suggest new technologies for the councils to consider and can recommend ways to strengthen security postures at the companies.
"I can influence those [councils], but not in terms of decision making and the authority to actually move things forward," Beeson says. He frequently has to go through the councils for approvals on key security technologies or major changes in security policy or procedures.
"My boss looks to me to oversee [security] for the GE Capital Americas business," Beeson says. "But I might not be able to pick a tool or technology or revise a policy. That's not so simple."
The Value of Security
Some executives are comfortable with the level of authority security chiefs have. "I believe that most companies do give their [CISOs and CSOs] the authority the achieve success," says Roland Cloutier, CSO at Automatic Data Processing (ADP), a provider of human resources, payroll, tax and benefits administration services.
"Authority does not mean unlimited resources or a yes' to every security, risk or privacy program they want to implement," Cloutier says. Rather, it's a workspace that understands the need for an executive security leader, provides mechanisms for professional input and collaboration, and promotes the opportunity for careful consideration of business-impacting issues, he says.
"Typically, if a company has made the commitment to staff a CISO/CSO-like position, [it has] taken a very important first step," Cloutier says. "Often it is the responsibility of that security executive to define success for their organization and develop and deliver the business impact efforts necessary to drive the results."
In Cloutier's experience, businesses that have difficulty taking a balanced approach to effective security typically have issues in either governance and oversight or segregation of duties.
"First, without an established authoritative executive oversight group that provides guidance to a security program, [then] prioritization, business alignment and cross-business visibility is very difficult to achieve," Cloutier says. "Those basic concepts are fundamental to the success of any given program, not just security."
Regarding segregation of duties, those security organizations that are operationally managed by a group that has contrasting ideas about security, risk or privacy functions often find themselves incapable of solving problems, thanks to management, financial or organizational issues.
Sign up for CIO Asia eNewsletters.