A knowledge of information security risk management is
just one of the many skills a chief security officer needs for
crafting, influencing and directing an effective organisation-wide
protection strategy, according to guidelines from a group of
security professionals.
Increasingly, the job also calls for an understanding of issues
as diverse as emergency preparedness, crisis management and
response, physical security, disaster recovery, as well as privacy
and regulatory matters.
The guidelines were released by ASIS International, a
33,000-member group of security professionals.
"There's been a lot of discussion on the need for organisations
to create a centralised governance function for many areas of
risk," said Jerry Brennan, president of Security Management
Resources.
The guidelines are the result of an attempt to give a formal
definition of the scope, responsibilities for reporting
relationships and experience needed to do the job.
"There wasn't much available that addressed the pulling
together, from a governance perspective, of all of the areas of
security risk that an organisation faces," Brennan said. "So we
decided to try and craft a document that would be broad-based and
truly represent what the CSO position would be in an
organisation."
The ASIS guidelines come at a time when a growing number of
security professionals say there needs to be a top-level management
position to oversee all aspects of operational risk.
"I have always found it preposterous to suggest that there are
separate disciplines that require separate management" when it
comes to operational security, said Dennis Treece, director of
corporate security at the Massachusetts Port Authority in
Boston.
For example, installing a privacy officer who is separate from
the rest of the security team only "fragments the effort and
ensures that the physical and virtual aspects of privacy have to be
laboriously co-ordinated", he said. The same is true when it comes
to having separate chief information security officer and CSO
functions.
"Having been both separately and now both at the same time, I
can state with confidence that combining them makes the most
sense," Treece said.
Even so, security professionals agree that only a relatively
small number of companies have created a formal CSO function
because of the substantial political and organisational challenges
that need to be overcome in doing so.
The popular notion of the CSO being the person in charge solely
of IT and physical security functions has also limited the
effectiveness of the role, said David W Stacy, global IT security
director at St Jude Medical, a US manufacturer of medical
equipment.
"I prefer the concept of the chief risk officer that encompasses
these two areas," while also including other functions such as
privacy, risk insurance and regulatory compliance, Stacy said.
"So, moving to a CSO model that only deals with IT security and
physical security may be a logical first step to eventually getting
to a CRO model," he added. "But even having a CSO would be a
revolution, as opposed to an evolution, in many organisations."
Some security professionals have trouble with the concept of
having an all-encompassing role. For one thing, "there is a huge
difference between the practice of physical security management and
information security management," said Eddie Schwartz, chief
technology officer at Securevision consultancy.
"While both disciplines have the use of technology as a common
element, the background and education of the practitioners are
distinct."
There's also the danger of rolling far too many functions under
the CSO umbrella, Schwartz said.
"It's an unnatural organisation of activities and doomed to
failure in most organisations."
Jaikumar Vijayan writes for Computerworld