No strangers to the three-letter acronym, even players in the infosecurity industry might have been perplexed if they had come across the CSO title two or three years ago. The chief security officer position virtually did not exist at that time and even now, for those who have taken on the assignment, roles and responsibilities vary drastically from company to company, industry to industry.
There are over 200 CSOs practicing now, but duties, credentials, salaries and reporting structures differ enormously across the spectrum of vertical markets, according to research from Giga Information Group. Additionally, some industries are leaning toward moving CSOs to the executive level, such as in the software, financial and utilities markets, though others position them lower.
"The CSO frequently faces an uphill grind of dealing with the political side of change, increasing awareness of security issues and gaining commitment," says Clifford May, principal consultant with Integralis, a systems integrator with offices in the U.S. and Europe. "Typically, the CSO is faced with an organization that has little idea of what their information assets are, what they are worth to the business, who should take ownership of them, and what level of risk they are subject to."
These are some of the main reasons the CSO post is a difficult one to fill, he says. Matt Anthony, director of marketing for Georgia-based CipherTrust, adds that not too many organizations seem to have an executive-level security leader in place at this stage. Those that do, appear to have CSOs who carry similar duties to the chief information officer, but who are more aggressive when it comes to going to bat for security projects. He adds that those who find success and support can usually handle the political problems they may face in spearheading security projects, as well as explain the technical aspects of the tools required to reach infosec goals.
Because there are still many organizations that have sketchy ideas of how and where security projects play in their business, CSOs have huge roles to play in providing a solid infosec direction, says Integralis' May.
Still, Giga's vice president and security expert Steve Hunt said in a recent news release there are five critical areas a CSO will have to tackle, including the evaluation of risk, counseling on security measures, development of security procedures, oversight of policy and administration, and communication with outside consultants and outsourcers.
"The role of the CSO is a difficult one to fill as it requires an individual who is a skilled diplomat, negotiator and motivator – someone who can manage and drive cultural change," says May. "Most organizations have developed their existing security on a reactive basis with no consistent plan, but many are beginning to realize that strong security requires a proactive and planned strategy."
As such, he says the major role for a CSO to play is one of champion for security that is "tightly integrated into every part of the business." The CSO is the one who evangelizes the idea that infosecurity is no longer separate from business, or even seen as an impediment to the quickness of various application roll-outs – it is simply a part of today's way of conducting business.
"Specific roles and responsibilities for security need to be included in everyone's job descriptions, and awareness training is vital to gain the buy-in needed to ensure people will take it seriously," he notes. "A talented CSO will guide the complete risk assessment and management process, developing a comprehensive strategy across the whole organization."
To accomplish security across the corporate infrastructure, says Etienne Greeff, professional services director for MIS Corporate Defense Solutions, the CSO will face policy and strategy development responsibilities, plus issues associated with organizational structures, legal areas, technical and non-technical IT security problems, business continuity, incident management and much more. In the end, CSOs must be viewed as more than just police officers who ensure that employees comply with policies, procedures and standards. Otherwise, he warns, they will quickly be seen in a negative way; they will become the ones in the organizations who slow down business processes fundamental to fattening the bottom line.
"The largest challenge with any CSO is that for the role, and ultimately the individual, to be successful the person should be seen as an enabler. ... If the CSO is seen in a positive light, as someone who reduces the risks of doing business, the chances of success become higher," he says.
Illena Armstrong is U.S. editor for SC Magazine.