Do You Need a CSO?
When times get tough a lot of positions that dont contribute to the bottom line are at risk. And, frankly, the CSOs job can be viewed by as supernumerary and thus fertile ground for cost savings. Why is this?
First lets talk about security leadership, then about how to decide if you need a CSO, and finally how to get the best return on your CSO investment.
I have always believed that responsibility for an organizations security should rest on the shoulders of someone. Lets face it despite the constant barrage of news stories about breaches, cyber extortion, and targeted attacks, many organizations still treat security as a layered-in expense to be spread around between desktop, server, and network admins.
When there is no single person to stop-the-buck you find a lot of memos written warning of impending disaster but very little action.
I have known far too many IT security people who feel their responsibility ends with a memoCYA at its best since there is no stronger motivation for taking action within the corporate world than the fear of losing your job.
I know of two large organizations, one a large security software company and the other a credit card organization, that appointed their CSOs the day after a major security incident.
So yes, there is a vital position at most organizations whose job description should read: If we suffer an outage or business loss due to careless security practices you get fired. Should that be a CSO?
I think the answer to that question depends on whether your company is run bureaucratically or if you are a get-things-done organization.
In a bureaucracy, the responsible security person needs that C-level title and the office to go with it to get anything accomplished. Whereas in a lean, do-what-needs-to-be-done environment, it is not worth the baggage that usually rides along with a CSO.
So, if you have a CIO, CMO (Chief Marketing Officer), CPO (Chief Privacy Officer), then you probably need a CSO.
Here are my tips for creating an effective CSO role within your organization:
In the end, though, as you contemplate creating the position of CSO, keep in mind that the position will not make you any more secure. There are a dozen things you can do today to make your company much more secure from attack that are less costly than appointing a CSO. What are they? That is a topic for another day!
Richard Stiennon is vice president of Threat Research at Webroot Software. He is a holder of Gartner's Thought Leadership award for 2003 and was named "One of the 50 Most Powerful People in Networking" by Network World Magazine. You can read his blog at www.threatchaos.com.