Another three-letter job acronym is about to be absorbed into the UK's corporate jargon dictionary. The chief security officer (CSO) has now entered the building.

Having identified more than 200 companies that employ a CSO, Giga Information Group says the title is already gaining a great deal of traction both in the UK and in the US.

By most accounts, the CSO is accountable for both IT security policies and for physical operations - things such as security guards and internal cameras.
According to Giga, the role's raison d'être is that companies need someone to co-ordinate the vast array of security initiatives across an organisation.

The question is, how can a position with such an important charter be expected to succeed when, in effect, its incumbent is expected to be a corporate jack-of-all-trades - capable of handling denial of service attacks and break-ins to the premises in the same breath?

As the chief executive officer of a company selling IT security solutions, I want the CSO role to succeed, but the likelihood of this happening is slim. This person will have to juggle IT and physical security concerns on a daily basis. Is it feasible for one person to ride these two horses?

My greatest concern is that rather than bolstering IT security, the role's broad security focus will dilute security and jeopardise the enterprise's IT well-being.

First, while the CSO role differs from company to company, the people doing this job need to understand that physical security and IT security require vastly different skill sets.

While the detection and prevention principles apply to both areas, CSOs need to be honest about their own skills and hire people to complement their areas of expertise. This is not an easy task for anyone. But for the role to stand any chance of succeeding, a CSO's deficiency in one area needs to be supported by a team that is properly equipped to leverage the knowledge base.

Second, a company must make the hard decision as to where the CSO should report. Should it be to the chief information officer or the chief executive?

The latter reporting structure carries executive endorsement, and makes a statement about the importance of security to the organisation. For example, by not having direct access to the resources found in the IT organisation, the CSO's opportunity to succeed - particularly with IT security - will be hampered as the CSO and chief information officer become embroiled in turf wars over who calls the shots when it comes to dealing with a denial of service attack. Conversely, having the CSO report to the chief information officer provides the CSO with access to sufficient resources; however, it makes security seem to be exclusively an IT issue, which it is not.

Security is a combination of internal practices and policies - and even sometimes industry or government regulations. Companies should train employees; monitor systems; and maintain historical information for comprehensive analysis and to check for compliance with policies and regulations.

The bottom line is that companies need to understand that it takes more than a new title to ensure a coherent and cohesive security practice.

They must think before they spend either on technology or a new executive. Too many organisations make the mistake of looking to haphazardly buy their way in security - with people or technology - when in reality security needs to be a well-planned and methodical ongoing programme.

Security is a journey that involves all levels of the company from the chief executive locking his desktop when he goes home to the receptionist refusing to let "tailgaters" into the building in the morning.

Every day new methods of intrusion appear. And without a well-planned programme for security, whether instituted by a CSO or chief information officer, regular violation of a company is virtually guaranteed.

Ratmir Timasnev is CEO of Aelita Software

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in November 2002

 

COMMENTS powered by Disqus  //  Commenting policy