Our forums are currently in maintenance mode and the ability to post is disabled. We will be back up and running as soon as possible. Thanks for your patience!

General discussion


Is Chief Security Officer a mandate?

By jmottl ·
With all the security concerns today, do enterprises need a specific job role, like Chief Security Officer, or is the work being absorbed by CIOs, or maybe netadmins with exceptional security backgrounds...seeking input and feedback for a story,
Judy Mottl
CIO Community Editor

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

I don't think it needs a Cxx position

by road-dog In reply to Is Chief Security Officer ...

1) Any CIO worth a damn knows that security is a big issue and will give it due attention.
2) The actual security will be handled by a technocrat on a day to day basis.
3) Any security mandates, policies and procedures will have to be integrated into the general IT bible anyway.
4) Security is a moving target, the bad guys are always changing methods and techniques. Each new software has holes that are high profile targets for hackers. Whats the CSO (chief security officer) going to do? "heyNCC load service pack fix on all servers." "I read it SKY magazine on the redeye to Atlanta this morning."

Collapse -

More than software

by tmcclure In reply to I don't think it needs a ...

The role of security officer encompasses more than just computers. Plant or facilities play just as much a role in securing a network as does the latest patches.

Also keep in mind that enforcing security is more than making users read and sign apolicy. Its auditing your system on a regualr basis. Depending on the size of your comapny, that can in it self keep you busy.

Collapse -

CSO scope limits

by generalist In reply to Is Chief Security Officer ...

If you're limiting the scope of the Chief Security Officer to network and computer related considerations, then you don't really need a CSO. It can be a part of the CIO's domain.

On the other hand, if the job involves all forms of security in all areas, not just IT, the CSO might be a useful position.

Having a network secured from invaders doesn't mean that your data is safe. Unless you restrict such things as hard copy, diskette downloads, e-mail attachments, CD burning and related activities, your data can be compromised even if all your people are loyal members of the organization.

People from outside your organization can compromise your data in various ways. Whether they are the lowly janitors or the high paid consultants,they have the opportunity to create security problems even if that is not their intent.

Ignoring the IT side of things, a CSO could also be responsible for physical security of various types. And for that matter, especially in view of the Enron fiasco, the CSO might be in charge of internal audits.

Collapse -

I Can See a Use if the funding is there

by melekali In reply to Is Chief Security Officer ...

I think it depends on the organization and it's fiscal restraints. A CSO would be a great compliment to an organization, but can be quite expensive because of the extensive backgrounds I have seen these positions advertised as desiring. If I had some of the certifications in a couple of critical areas, like Cisco and Microsoft, I believe I would be a good candidate considering my background. I have never met a company who would hire this kind of a position on an experience-only basis.

As a Network Admin for a small organization with a very limited budget, I was performing these same functions for the organization to protect my network.

Collapse -

Big corporation needs CSO

by sbnetsec In reply to Is Chief Security Officer ...

In my opinion I think bigs corporation need CSO because of the nature of network security. As we all know network security is a process that demands a lot of attention and it has some legal issues too.
Over the last few months I have seen security moved from the bottom of the IT list to the upper management.As an Infragard member, we are trying to educate business owners and CIOs about security and the concern has been high.
Please read the story bellow and you will understand that security is no longer ITadmin affair alone:
Late one recent Sunday night, an executive at a midsized financial services
firm received the kind of call everyone in the industry dreads: a demand for
$1 million, or else the brokerage's network would crash the next day with a
surreptitiously installed program.
The firm's security team spent a frenzied night searching for the pernicious
code but failed to find it, and the system went down for an hour in the
morning. The executive's phone rang once more: The caller threatened to
crash the system again, but this time during peak trading hours. The
brokerage, in this case, paid up.

Collapse -

Good question!!

by marshallb2 In reply to Is Chief Security Officer ...

It seems that we must examine the strategic importance of the position. Would the CSO become an alternative to the CIO? In some organizations security concerns may have "sufficient" strategic impact to warrant the new position.

How would we characterise an organization that needs a CSO? I have some ideas if anyone is interested.

Collapse -

CSO is today's reality

by Big-Jim In reply to Is Chief Security Officer ...

Chief Security Officer is today's reality. With the continued existence of threats to an organization (Data, Physical, Competitive), the role of a CSO is becoming necessary. In the past, there usually has been a group or department for Business Risk Management. This group would report to the CFO or CEO for business risk analysis and oversight. With the increase in threat awareness, having that group report to a CSO is becoming a business reality.

CSO?s should NOT be specifically tied to IT, but should be a well-rounded business professional with STRONG security knowledge. I agree that CSO?s should not be burdened with day-to-day detail of Network Patch levels and threats, but should instead drive Security Policy and Procedures down all sections of the business. This allows the Upper Management chain to see that Security is being driven from the Cxx Level, and therein has strength.

For those people who feel that an IT staffer should have this responsibility, are simply fooling themselves. They really don?t have the experience or ability to provide this level of security for large or midsized companies.

Related Discussions

Related Forums