The CSO takes on a different view
of security than the CIO. CSOs view security from a
business perspective—they have to ensure that business
is not disrupted in any way due to security breaches
Security management has become
a complex task. It involves not just lobbying for security
funds but also mapping security measures to business
needs. This adds to the long list of CIO responsibilities.
That's why many organizations in the US and Europe are
deputing a separate executive to manage securitythe
Chief Security Officer (CSO). The CSO shoulders the
overall information security initiative of a company
and reports directly to the CEO. However, this trend
is not visible here in India.
|Click on images for larger
In India, only a few companies
have a CSO. In fact, just 18 percent of the respondents
said they have one. Also, among companies that do not
have a CSO, only 14 percent plan to create the post
Companies feel that the various
security solutions deployed should minimize the risks
(therefore, there's no need for a separate security
manager). After all, the (huge) investment in security
solutions must be justified and provide some returns.
Others feel the nature of their business, and business
data, are such that the risks are not too highhence
this does not justify the need for a CSO.
have a CSO?
If security is to be taken seriously within an organization,
then the initiative should be driven from the top. The
CEO has to announce the security policy and should be
involved in all decisions relating to security. He should
depute the CSO to take on the responsibility of managing
security, and the CSO must report directly to the CEOnot
to the CIO.
Reporting to the CEO is preferable
because he's a business leader with a holistic view
of the business. A CEO's decisions are not influenced
by IT systems, new technology, and technical problems.
The CSO takes on a different
view of security than the CIO, (who is concerned with
selection and deployment of technology solutions). CSOs
view security from a business perspectivethey
have to ensure that business is not disrupted in any
way due to security breaches or threats. This means
a CSO's responsibilities extend beyond IT. He is also
concerned with the operational efficiencies of the business,
and has to implement cost-effective, risk management
The CSO is also considered
to be a management executive. That ensures security
will be viewed more seriously, across all ranks.
Of the few that do have a CSO,
50 percent said he/she reports to the CIO, while 39
percent said he/she reports to the CEO. The numbers
are almost interchanged for those that do not have a
CSO. Among those that do not have a CSO yet, 50 percent
think he/she should report to the CEO while 29 percent
say that if they had a CSO, he/she should report to
does a CSO do?
The main duties of a CSO includes responsibilities such
- Mitigating risks and ensuring
business continuity by chosing the right security
and data protection solutions. Ensuring proper configuration
and updation of these solutions.
- Defining proactive processes
and reactive/recovery measures.
- Setting the security policy.
Reviewing and updating it.
- Creating security awareness
through internal educational programs. Advising functional
heads and managers about
- Coordinating with various
internal departments (accounts, HR, physical security,
legal etc) and external agencies (service providers,
vendors, government departments, regulators) on security
- Risk management, business
continuity and disaster recovery.
- IT security should not be only about technologyfactor
in people and processes too.
- Protect all areas of the networkdon't
focus only on data protection and access controls.
- Think beyond anti-virus and firewalls. Check
whether you need solutions like IDS or encryption
- Security policy should involve everyone in
the organization. Take a top down approach when
forming the policy. To make your security policy
effective, it should be documented, properly
implemented, and frequently revised.
- Conduct regular audits and review the security
policy periodically. Audits are closely related
to security policy. They are done periodically
to check if the security policy is effective
in a changing business environment. When conducting
audits do consider hiring the services on an
external audit agency.
- Think of hiring a CSO. Also, the CSO should
report directly to the CEO. A CSO can give the
CEO a view of security with the business in
mind. Otherwise, security becomes an issue that
begins and ends with the IS department.