Even before the events of 9/11, infrastructure security had established a stronghold on the IT priority list, thanks to stronger attacks and increasing vulnerabilities in software. Yet, despite a compelling need for greater security oversight, most enterprises have not created and staffed a Chief Security Officer (CSO) position.
And in the rare instances in which a CSO is in place, there’s still much debate over the parameters of the CSO's responsibilities within the IT environment.
Obviously, one critical factor is funding the job—creating a new executive role is not something most companies with tight budgets are eager to do. So, according to industry experts and reports, there are several hurdles to putting a CSO in place.
Common roadblocks to hiring a CSO
According to a recent survey of Fortune 1000 executives by Christian & Timbers, a global executive search firm, even when a CSO is hired, he or she may not have a defined role or status in the company hierarchy.
“If your organization is small enough, you probably won't have a CSO because there isn't enough to do,” said Dennis Dickens, an IT professional in the manufacturing and service industries. “What you may have is someone responsible for making sure that critical things are secure enough for comfort,” he said.
Andy Weiss, a help desk staffer at DYNCORP, said that while there is a need for a CSO, it's not easy to find a candidate with the necessary experience. Additionally, Weiss stated, the accompanying six-figure salary is often out of reach for most enterprises.
Yet, there are CSOs in place—mostly at billion-dollar conglomerates. According to a January study by Booz Allen Hamilton that surveyed firms with more than $1 billion in annual revenues, 54 percent of the 72 chief executive officers surveyed reported that a CSO was in place and that 90 percent of those CSOs have served in the role for more than two years.
Clinton Jones, manager of infrastructure and technical support for Almarai Co. in Saudi Arabia, said many CEOs, CIOs, and COOs see the role as executive-level competition.
“The question is about who the CSO should be responsible to—operations, finance, IT? The CSO’s role is to ensure that there are policies and procedures and then audit them,” explained Jones. “The CSO does not need to know, for example, how you secured something, merely whether it is secure and then test the quality of that security,” said Jones, adding that the CSO’s responsibility is to ensure that the company’s technological infrastructure is safe, secure, and private.
Jones said that it is common for companies to rely solely on consultants to handle security concerns simply because, if a competing company discovers the firm is hiring a CSO, it could be misconstrued as a security problem—a red flag that competitors could exploit.
The need for an internal security guard
While news headlines harp on recent denial of service attacks and the latest network worms plaguing corporate enterprises, IT professionals are quick to point out that a CSO is also needed to stop internal threats.
“You may have the most secure cybernetwork on the planet, but the cybersecurity is moot if someone from inside the company can walk away with yesterday's backups,” explained Dickens. “When you get down to it, one of the weakest links in any security system is the warm body in charge of the entry points to a company. Whether this person is the armed guard at the front entrance or the data entry clerk behind the scenes, this warm body can be the weak point that allows critical data to be stolen.”
Understanding the internal risks is often the first step toward defining the CSO role. Dickens suggests creating a list of CSO responsibilities and evaluating who is currently handling those issues within the organization. That type of internal review, say industry analysts, often enlightens executives about the pressing need for a CSO.
“The CSO is a fairly new role in corporations and agencies, but in its brief history has proven to increase operational efficiency and security effectiveness by coordinating security efforts across the organization, managing outsourcing contracts, and mapping security measures to real business risks,” said Steven Hunt, a vice president at Giga Information Group, a Cambridge, MA-based research firm.
According to Hunt, there are three possible approaches for security risk management: Accept the risk, assign the risk, or mitigate the risk.
“The extent to which you choose mitigation and the complexity of your IT infrastructure’s applications portfolio will ultimately dictate the size and depth of your internal security program,” Hunt said. “The tolerance for risk, more than anything else, dictates the resources that will be needed for the security organization.”
The continuing and increasing security threats are enough reason to put a CSO in place, according to Jim Noble, network and security manager for INFO1, Inc. In the past, an internal department, often on the business side, has traditionally dealt with risk-management issues, reporting to the CFO or CEO. Today, with the security risk level so high, those risk managers should be reporting to a CSO, Noble said, who believes that CSOs don't have to be tied to IT. The role, he added, requires a well-rounded business professional with strong security knowledge.
“CSOs should not be burdened with day-to-day details of network patch levels and threats, but should instead drive security policy and procedures down all sections of the business,” Noble explained. “Those people who feel that an IT staffer should have this responsibility are simply fooling themselves. They really don’t have the experience or ability to provide this level of security for large or midsize companies.”
Jones predicts that the lack of CSOs won’t continue, as it’s a role no organization will be able to ignore for much longer. “As markets become more competitive and intellectual capital becomes more valuable and electronically-based, the role of the CSO will grow.”