Do You Need a CSO?

By Richard Stiennon

(Back to article)

The title and position (and sometimes office) is fairly new. Not so new it hasn’t seen some ups and downs though. In the 2000-2001 timeframe there were a lot of CSO lay-offs.

When times get tough a lot of positions that don’t contribute to the bottom line are at risk. And, frankly, the CSO’s job can be viewed by as supernumerary and thus fertile ground for cost savings. Why is this?

First let’s talk about security leadership, then about how to decide if you need a CSO, and finally how to get the best return on your CSO investment.

I have always believed that responsibility for an organization’s security should rest on the shoulders of someone. Let’s face it despite the constant barrage of news stories about breaches, cyber extortion, and targeted attacks, many organizations still treat security as a layered-in expense to be spread around between desktop, server, and network admins.

When there is no single person to “stop-the-buck” you find a lot of memos written warning of impending disaster but very little action.

I have known far too many IT security people who feel their responsibility ends with a memo—CYA at its best since there is no stronger motivation for taking action within the corporate world than the fear of losing your job.

I know of two large organizations, one a large security software company and the other a credit card organization, that appointed their CSO’s the day after a major security incident.

So yes, there is a vital position at most organizations whose job description should read: “If we suffer an outage or business loss due to careless security practices you get fired.” Should that be a CSO?

I think the answer to that question depends on whether your company is run bureaucratically or if you are a get-things-done organization.

In a bureaucracy, the responsible security person needs that C-level title and the office to go with it to get anything accomplished. Whereas in a lean, do-what-needs-to-be-done environment, it is not worth the baggage that usually rides along with a CSO.

So, if you have a CIO, CMO (Chief Marketing Officer), CPO (Chief Privacy Officer), then you probably need a CSO.

Here are my tips for creating an effective CSO role within your organization:

  • Make the responsibility for securing the enterprise explicit. In other words put the responsibility squarely on the shoulders of this person.
  • The CSO should conduct continuous scans, audits, and reviews of programs and have the power to change configurations, policies, and authorizations to correct lapses in security.
  • Have the CSO deploy a security policy based on ISO 17799. Do not start from scratch.
  • Have the CSO create a high level security metric that indicates the state of readiness of the organization as a whole as well as individual departments. He or she can then target specific areas of risk and be measured and rewarded on improvements in those metrics.
  • Promote a CSO from within (and, yes, the role must be filled by a security person). If you don't have a security person to promote you probably are too small an organization to justify a CSO in the first place.
  • Do not institute security awareness training. Yes, send IT administrators to hacking boot camp. That really wakes them up. And train developers in securing code. But every dollar spent on training factory workers in good password management is wasted.
  • In the end, though, as you contemplate creating the position of CSO, keep in mind that the position will not make you any more secure. There are a dozen things you can do today to make your company much more secure from attack that are less costly than appointing a CSO. What are they? That is a topic for another day!

    Richard Stiennon is vice president of Threat Research at Webroot Software. He is a holder of Gartner's Thought Leadership award for 2003 and was named "One of the 50 Most Powerful People in Networking" by Network World Magazine. You can read his blog at www.threatchaos.com.