At a bare minimum, the organization should conduct a thorough security audit and perform a risk assessment to identify systems, networks and assets at potential risk. Based on the evaluation of the risks and potential related losses, you could formulate a security policy and a set of plans to remediate or avoid such risks. During that process a consultant can help, but once the process is nearing completion or already done that would be the right time to think about designating a CSO.
For more information on this topic, visit these other SearchSecurity.com resources:
This was first published in April 2003