Security Bytes - A SearchSecurity.com blog

Security Bytes:

 

A SearchSecurity.com blog


The information security blog for the latest buzz on data security, privacy and regulatory compliance issues, information security threats, software security updates, flaws and more.

The changing role of the CSO

December 7th, 2007 by Dennis Fisher

In the last few months I’ve been hearing more and more from CEOs, CIOs and CSOs about the changing role of the CSO (or CISO, depending on your org chart) in the enterprise. In the past, the CSO has nearly always been a technically minded person who has risen through the IT ranks and then made the jump to the executive ranks. That lineage sometimes got in the way when it came time to deal with other upper managers who typically had little or no technical knowledge and weren’t interested in the minutiae of authentication schemes, NAC and unified threat management. They simply wanted things to work and to avoid seeing the company’s name in the papers for a security breach.

But that seems to be changing rather rapidly. Last month I was on a panel in Chicago with Howard Schmidt, Lloyd Hession, the CSO of BT Radianz, and Bill Santille, CIO of Uline, and the conversation quickly turned to the ways in which the increased focus on risk management in enterprises has forced CSOs to adapt and expand their skill sets. A knowledge of IDS, firewalls and PKI is not nearly enough these days, and in some cases is not even required to be a CSO. One member of the audience said that the CSO position in his company is rotated regularly among senior managers, most of whom have no technical background and are supported by a senior IT staff member who serves as CISO. The CSO slot is seen as a necessary stop on the management circuit, in other words. Several other CSOs in the audience said that they no longer report to the CIO and are not even part of the IT organization. Instead, they report to the CFO, the chief legal counsel, or in one case, the ethics officer.

The number of organizations making this kind of change surprised me at the time. But, in thinking more about it, it makes a lot of sense, given that the daily technical security tasks are handled by people well below the CSO’s office. And many of the CSOs I know say they spend most of their time these days dealing with policy issues such as regulatory compliance. Patrick Conte, the CEO of software maker Agiliance, which put on the panel, told me that these comments fit with what he was hearing from his customers, as well. Some of this shift is clearly attributable to the changing priorities inside these enterprises. But some of it also is a result of the maturation of the security industry as a whole, which has translated into less of a focus on technology and more attention being paid to policies, procedures and other non-technical matters.

How this plays out in the coming months and years will be quite interesting. My guess is that as security continues to be absorbed into the larger IT and operations functions, the CSO’s job will continue to morph into more of a business role.

Posted: December 7th, 2007 under Information Security Careers.

2 Comments »

  1. Hi Dennis,
    this is actually interesting. A few years ago I ran a CSO Roundtable in Switzerland with the title “Who is in Charge” and the result was mainly that the job of the CSO is to communicate the information security risks to management and then it is the management’s resposibility to decide on their risk appetite.
    Additionally we published a study at RSA Europe about the collaboration between Security, Privacy and Marketing (as a placeholder for business). You can find the most important results here: http://blogs.technet.com/rhalbheer/archive/2007/10/23/rsa-europe-are-you-ready-for-security-and-privacy.aspx The lowlights to me were that only approx. 30% of the Marketing people are asking Security/Privacy people when they handle critical data (PII). in Security, Privacy however 80% think that they were asked… The reason? Well only 21% of the Marketing see security and privacy objectives NOT being in conflict with business objectives….
    So, I fully support your view
    Roger

    Comment by Roger Halbheer — December 7, 2007 @ 6:55 pm

  2. […] It’s nice when the market comes to you. I’ve been talking about the need for Chief Security Officers to become more business oriented, rather than technically focused, for a long time. Now it seems this is the discussion that the “cool kids” are having at conferences and other venues. TechTarget’s Dennis Fisher talks about a panel at their recent Information Security Decisions show that basically say the skill set of the CSO needs to rapidly expand. […]

    Pingback by Pragmatic CSO Weekly #38 | Stop ID Thieves — December 12, 2007 @ 2:14 pm

TrackBack URL

Leave a comment