The role of the chief security officer (CSO) has expanded. From being the guardian of network security against intruders it is now the job of the CSO to be familiar with all types of data in the organisation, the legal and regulatory framework that applies to it and the ways in which it is stored.
Increasingly the CSO must know which laws and regulations apply – such as the Data Protection Act in the UK and PCI-DSS – and be certain that the physical storage methods are in keeping with compliance requirements.
In this podcast ComputerWeekly.com storage editor Antony Adshead talks with CEO of Vigitrust, Mathieu Gorge, about the role of the CSO and their need to fully understand the compliance and technical considerations around the organisation’s data.
Antony Adshead: What is the role of the CSO and what do they need to know about data?
Mathieu Gorge: The role of the CSO, also known as the CISO – chief information security officer – has evolved over the past 20 or 30 years from making sure networks were secure from intrusion from hackers and securing the extended network, especially with regard to mobile devices and BYOD.
And over the past five years we’ve seen an increasing push for CSOs to understand the value of data, with regard to big data and the explosion of data created by organisations.
So, one thing that CSOs need to understand is what type of data their organisation works with, who is the custodian of the data within each business silo, how do they classify the data with regard to confidentiality, integrity and availability.
And also how do they make sure the security they put around data does not impact on the ability of the organisation to access the data for big data analytics etc.
This leads into the requirement to fully understand the technical measures that need to be in place as well as policies and procedures and user awareness from the data protection perspective (ie, with regard to the Data Protection Act in the UK)
Adshead: What does the CSO need to know about storage?
Gorge: If you look at what the Data Protection Act asks you to do, you need to have appropriate security measures to protect the data that pertains to individuals and businesses. And that means putting in place technical solutions including secure storage, encryption of data in use – potentially at rest or in transit.
It really starts by mapping out the data flow, one business unit to another, and to and from third parties whether trusted or untrusted. It’s really about mapping the data flow and that only the right data is kept in a secure way.
So, if you look at other legal or industry frameworks, if you look at the requirements of the Financial Services Authority (FSA) or PCI-DSS requirement 3.4 about storage of credit card holder data. That’s one thing the CSO needs to be fully familiar with; what type of data can and can’t be kept under any circumstances and how to protect that data once it is stored.
There’s also the issue of e-discovery if I need to access the data under an e-discovery request, making sure the data has been retained and can be accessed.
I think the key here for the CSO is to understand that the concept of data and data management and data security is the link for the CSO to engage with key decision-makers that are very aware of recent data breaches such as Target, Loyalty Build or the NHS.
They understand the value of data and the CSO can use that as a lever to show them the value of data and data storage policies and get budget and commitment to put in place a robust, scalable data storage policy for the organisation.
More on legal and regulatory compliance
- Principles of compliance in the financial services industry
- Podcast: Demystifying big data storage for the board
- Podcast: What’s new in PCI-DSS and PA-DSS version 3.0?
- Big data security: getting a grip on multiple data sources
- Data classification policy: What it is and how to do it
- Podcast: Why HIPAA compliance provides a storage template for all
- Podcast: Why you need a cloud storage compliance audit