Archives ||  About Us ||  Advertise ||  Feedback ||  Subscribe-
Issue of June 2003 
[an error occurred while processing this directive]
 Home > IS2003
 Print Friendly Page ||  Email this story

The CSO debate

The CSO takes on a different view of security than the CIO. CSOs view security from a business perspective—they have to ensure that business is not disrupted in any way due to security breaches or threats

Security management has become a complex task. It involves not just lobbying for security funds but also mapping security measures to business needs. This adds to the long list of CIO responsibilities. That's why many organizations in the US and Europe are deputing a separate executive to manage security—the Chief Security Officer (CSO). The CSO shoulders the overall information security initiative of a company and reports directly to the CEO. However, this trend is not visible here in India.

Click on images for larger view

In India, only a few companies have a CSO. In fact, just 18 percent of the respondents said they have one. Also, among companies that do not have a CSO, only 14 percent plan to create the post of CSO.

Companies feel that the various security solutions deployed should minimize the risks (therefore, there's no need for a separate security manager). After all, the (huge) investment in security solutions must be justified and provide some returns. Others feel the nature of their business, and business data, are such that the risks are not too high—hence this does not justify the need for a CSO.

Why have a CSO?
If security is to be taken seriously within an organization, then the initiative should be driven from the top. The CEO has to announce the security policy and should be involved in all decisions relating to security. He should depute the CSO to take on the responsibility of managing security, and the CSO must report directly to the CEO—not to the CIO.

Reporting to the CEO is preferable because he's a business leader with a holistic view of the business. A CEO's decisions are not influenced by IT systems, new technology, and technical problems.

The CSO takes on a different view of security than the CIO, (who is concerned with selection and deployment of technology solutions). CSOs view security from a business perspective—they have to ensure that business is not disrupted in any way due to security breaches or threats. This means a CSO's responsibilities extend beyond IT. He is also concerned with the operational efficiencies of the business, and has to implement cost-effective, risk management measures.

The CSO is also considered to be a management executive. That ensures security will be viewed more seriously, across all ranks.

Of the few that do have a CSO, 50 percent said he/she reports to the CIO, while 39 percent said he/she reports to the CEO. The numbers are almost interchanged for those that do not have a CSO. Among those that do not have a CSO yet, 50 percent think he/she should report to the CEO while 29 percent say that if they had a CSO, he/she should report to the CIO.

What does a CSO do?
The main duties of a CSO includes responsibilities such as:

  • Mitigating risks and ensuring business continuity by chosing the right security and data protection solutions. Ensuring proper configuration and updation of these solutions.
  • Defining proactive processes and reactive/recovery measures.
  • Setting the security policy. Reviewing and updating it.
  • Creating security awareness through internal educational programs. Advising functional heads and managers about
    security issues.
  • Coordinating with various internal departments (accounts, HR, physical security, legal etc) and external agencies (service providers, vendors, government departments, regulators) on security issues.
  • Risk management, business continuity and disaster recovery.
NM Suggests
  • IT security should not be only about technology—factor in people and processes too.
  • Protect all areas of the network—don't focus only on data protection and access controls.
  • Think beyond anti-virus and firewalls. Check whether you need solutions like IDS or encryption tools.
  • Security policy should involve everyone in the organization. Take a top down approach when forming the policy. To make your security policy effective, it should be documented, properly implemented, and frequently revised.
  • Conduct regular audits and review the security policy periodically. Audits are closely related to security policy. They are done periodically to check if the security policy is effective in a changing business environment. When conducting audits do consider hiring the services on an external audit agency.
  • Think of hiring a CSO. Also, the CSO should report directly to the CEO. A CSO can give the CEO a view of security with the business in mind. Otherwise, security becomes an issue that begins and ends with the IS department.
- <Back to Top>-  

© Copyright 2001: Indian Express Newspapers (Bombay) Limited (Mumbai, India). All rights reserved throughout the world.
This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Bombay) Limited. Site managed by BPD.