Security
The CSO debate

The CSO takes on a different view of security than the CIO. CSOs view security from a business perspective—they have to ensure that business is not disrupted in any way due to security breaches or threats

Security management has become a complex task. It involves not just lobbying for security funds but also mapping security measures to business needs. This adds to the long list of CIO responsibilities. That's why many organizations in the US and Europe are deputing a separate executive to manage security—the Chief Security Officer (CSO). The CSO shoulders the overall information security initiative of a company and reports directly to the CEO. However, this trend is not visible here in India.

Click on images for larger view

In India, only a few companies have a CSO. In fact, just 18 percent of the respondents said they have one. Also, among companies that do not have a CSO, only 14 percent plan to create the post of CSO.

Companies feel that the various security solutions deployed should minimize the risks (therefore, there's no need for a separate security manager). After all, the (huge) investment in security solutions must be justified and provide some returns. Others feel the nature of their business, and business data, are such that the risks are not too high—hence this does not justify the need for a CSO.

Why have a CSO?
If security is to be taken seriously within an organization, then the initiative should be driven from the top. The CEO has to announce the security policy and should be involved in all decisions relating to security. He should depute the CSO to take on the responsibility of managing security, and the CSO must report directly to the CEO—not to the CIO.

Reporting to the CEO is preferable because he's a business leader with a holistic view of the business. A CEO's decisions are not influenced by IT systems, new technology, and technical problems.

The CSO takes on a different view of security than the CIO, (who is concerned with selection and deployment of technology solutions). CSOs view security from a business perspective—they have to ensure that business is not disrupted in any way due to security breaches or threats. This means a CSO's responsibilities extend beyond IT. He is also concerned with the operational efficiencies of the business, and has to implement cost-effective, risk management measures.

The CSO is also considered to be a management executive. That ensures security will be viewed more seriously, across all ranks.

Of the few that do have a CSO, 50 percent said he/she reports to the CIO, while 39 percent said he/she reports to the CEO. The numbers are almost interchanged for those that do not have a CSO. Among those that do not have a CSO yet, 50 percent think he/she should report to the CEO while 29 percent say that if they had a CSO, he/she should report to the CIO.

What does a CSO do?
The main duties of a CSO includes responsibilities such as:

• Mitigating risks and ensuring business continuity by chosing the right security and data protection solutions. Ensuring proper configuration and updation of these solutions.
• Defining proactive processes and reactive/recovery measures.
• Setting the security policy. Reviewing and updating it.
• Creating security awareness through internal educational programs. Advising functional heads and managers about
  security issues.
• Coordinating with various internal departments (accounts, HR, physical security, legal etc) and external agencies (service providers, vendors, government departments, regulators) on security issues.
• Risk management, business continuity and disaster recovery.