CSO role reassures clients, but security still bottomline

Having top executives dedicated to managing risks essential especially for security vendors but, titles aside, focus should remain on their expertise and ability to keep threats out, experts say.

Chief security officers (CSOs) play a vital role as the dedicated top-level executive responsible for managing risks in organizations and are essential not only in large enterprises, but especially in companies that count security as their bread-and-butter. However, end-users are--and should be--more concerned with the expertise and diligence of their vendors in keeping threats out, rather than the titles and presence of such personnel.

Naren Ganjoo, consultant for Robert Walters' IT commerce division focused on permanent roles, said the security of information systems has become even more critical with the shift toward virtualization and cloud computing.

"Every organization today has a [dedicated] security officer who looks into internal security policies and does regular IT security audits and implementation of new policies, and so on," Ganjoo said.

Concurring, Graham Titterington, principal analyst at Ovum, observed that the number of CSOs or CISOs (chief information and security officers), in general, has "grown by a small amount". He noted that large organizations and companies which bread-and-butter is associated with security, cannot afford to do without such executives.

"In a large organization, the task will be sufficient to fully occupy a security expert, and will require a lot of deep expertise. And so, it is best to have a dedicated person," Titterington explained. "Smaller organizations can combine it with CIO or other roles."

"I would be concerned if an organization that majors in security, such as a security vendor or a bank, did not have a dedicated expert, but for other organizations I would take a more flexible attitude to the division of responsibilities," he added.

However, he cautioned that people should not be "too hung up on job titles and roles". What is essential is the organization "does a good job of its security or information security", he said.

As for organizations that are unable to allocate budget or justify hiring a dedicated CSO, they can turn to service providers or consultants, advised Titterington.

Lawrence Pingree, research director at Gartner, expressed a similar view. "If a company cannot handle the internal costs of a long-term CSO or CISO role, a good start is to either engage an external consulting firm to perform a security assessment, or potentially hire a quality security engineer or architect to get the program started and move the organization through some security maturity."

Gartner also has an ITScore model that helps assess the maturity of security programs and their effectiveness, the analyst told ZDNet Asia.

Security vendors need to walk the talk
Touching specifically on security vendors, U.S.-based Pingree said the top five market players all have had dedicated security personnel at the C-level "for quite some time". According to the Gartner analyst, these roles may not have a seat on the board of directors or are not listed as part of the management on the respective company Web sites.

A check on the Web sites of Symantec, McAfee, Trend Micro, IBM and CA Technologies found no CSO or CISO listed under the management team. McAfee, however, advertised on Oct. 18 for a CSO to be based in Santa Clara, which ZDNet Asia understands was a replacement exercise.

Both Trend Micro and CA reported that their CIO is responsible for protecting their organizational information assets, as well as implement security vision and strategies. Over at IBM, the responsibility comes under its vice president for IT risk, Kris Lovejoy.

Symantec declined comment for this story.

Explaining the company's lack of a CSO or CISO, Trend Micro CIO Max Cheng explained: "As an IT security provider, Trend Micro understands the importance of IT security and therefore, the CIO is empowered with this responsibility and [has a] dedicated [infosecurity] team to implement IT security.

"We do not think creating this title would add any significant value to Trend Micro's IT security defenses," the CIO told ZDNet Asia.

That said, Cheng, who spends about 30 percent of his time on IT security matters, acknowledged that having a dedicated person to manage information security would help "in terms of reassuring customers", especially in light of recent security breaches in the industry.

Sunny Lee, CIO of Hong Kong Jockey Club, said in an e-mail interview that while he did not pay much attention to whether IT security vendors had dedicated CSOs, he said these organizations should practise what they preach. "[That is], putting information security a top priority for their companies," Lee said, adding that a high level of attention should be placed on such issues.

"They should demonstrate themselves as role models in information security governance," he pointed out. At the end of the day, the key is to do whatever is necessary to mitigate security risks.

"Failing to do so will have serious implication. It will not only put their company at risk, but also put their clients at risk," he noted.

Increasing attacks highlight CSO need
At least two technology companies announced new CSO appointments this year following a series of high-profile security breaches in the industry.

RSA, which revealed in March that information relating to its SecurID technology had been stolen, unveiled its first CSO three months later in June. Eddie Schwartz came on board as a result of RSA's acquisition of NetWitness.

Japanese consumer electronics giant, Sony, in September also hired a former official in the U.S. Department of Homeland Security as its vice president and CSO. According to the Dark Reading site, the company had received flak for its poor security posture which was exposed by hackers in April.

Robert Walters' Ganjoo noted that CSOs are common in IT security and IT vendor companies, and there is "huge demand" for such roles. However, in Singapore, the supply of talented and experienced IT security executives is unable to meet the demand.

"The market in Singapore does not offer a very large or extensive pool of security candidates," he said. "Finding someone with exceptional skills in security and with a lot of experience is a challenge."