Security: A Job For the Super-CSO?
With security risks converging, the chief security officer has to master them all – and gain support from the whole organisation
Each one needs to consider the effects of what they do, including the effects on other functions in the business – as stopping one risk may cause others. And they also have to do something which may not come naturally to all CSOs: share information, in streamlined reports which make sense.
Convergence takes some thinking
The ASIS report deserves a read: it was was put together with the help of the Institute of Information Security Professionals, the Information Security Awareness Forum, ISACA, the Institute of Criminal Justice Studies at Portsmouth University, the Information Assurance Advisory Council, the Security Awareness Special Interest Group, The Security Institute and the National Federation of Fraud Forums.
“Companies are not sure where their threats are coming from. so we’ve got to work out a unified approach,” said James Willison, who leads on convergence at ASIS. In the past, different security specialists, including physical security and data security, have reported to different people: “it has been siloed”, he said and breaking down this silo would save money and cut risks.
Part of the struggle is, as always, to get senior people to take the issue seriously. Justin Bentley, chief executive at IPSA said: “Anything which helps people at Board level understand that the real risk of loss to a company is about more than preventing petty thefts is beneficial,” suggesting that even simple things like giving the CSO a serious job title might help.
And operating at a higher level, they will need a good grasp of general principles and have to rely on subordinates for technological details. “In the same way that, previously, the CSO would recommend the height of a brick wall without needing to know how to mix cement, the modern CSO needs to understand the risks of computer networks and accessibility of digital information,” said Bentley. “He or she will probably have an IT director reporting to them who will understand how to secure a packet of information travelling the internal network or the Internet.”
Joined Up Thinking
“Personally, I remain dubious as to whether or not the CSO will receive a pot of money entitled ‘Security’ and then decide the proportion to be spent on physical security, IT security and any other areas,” Bentley said.
“However, it should lead to more joined-up thinking. For example, when looking at CCTV over IP the CSO should be considering the security of the network and whether it can cope with the increase in traffic.”
It seems as if the super-CSO has to have access to a massive skillset amongst colleagues, even if he or she can’t be master of them all. And the super-CSO has to command respect and gain co-operation from every single division of the company.
Info4Security and SMT are published by United Business Media, the company behind the IFSEC show.