Is the CSO a toothless tiger?

In some Australian organisations the CSO is a toothless tiger and employed only to meet regulatory requirements, which can lead to companies limping from one IT security disaster to another.

Many financial institutions and government agencies require a CSO to meet compliance audits for such benchmarks as PCI, Sarbanes Oxley and ACSI33. It's often asserted that meeting these benchmarks is the only reason the role exists.

"I could name you a dozen organisations we've talked to in the last few months that put in new security infrastructure purely for the sake of compliance," said Carlo Minassian, founder and CEO of managed security service provider Earthwave. "They pay 200K to hire a CSO, tick a box, and they are compliant. But beyond that, the CSO is given no budget, struggles to get a say in the boardroom and gets very bored of the job. Nobody is hired to manage the IDS and Firewall, logs aren't monitored, software gets three years out of date and nobody notices," he said.

The CSO has essentially become a "scapegoat", says Wayne Neich, country manager for security vendor BlueCoat.

"They own the responsibility of achieving, demonstrating, and maintaining compliance, but they aren't given the resources to do this effectively," he said.

Brian Brannigan, managing director of identity management systems integrator Agreon Systems, believes that organisations with a 'tick-box' approach to compliance tend to "limp from one IT security disaster to another".

"They need a fall guy," he says. "And appointing a CSO is simply the cheapest option."

Boardroom respect
A CSO who is installed only for the purpose of compliance tends to struggle to have security taken seriously.

"The challenge is to get commitment from the organisation for security policies and procedures, to get buy in from everybody, to be taken seriously in the boardroom," Earthwave's Minassian says.

The CSO's job becomes limited to producing reports. They are expected to give security-related advice to business units but it's the business units that get to make the choice on adopting a technology or policy.

The agenda among the leaders of business units tends to be limited — sometimes only to profit.

Fred Borjesson, CheckPoint business development manager

"The CSO is very rarely empowered," says CheckPoint business development manager Fred Borjesson. "It's hard to be a policy creator if the decisions and the budgets lie with the business units."

"If a CSO creates a policy that involves a purchasing decision, they should be able to rely on corporate to fund the acquisition and for business units to comply. There should be no choice," said Borjesson.

"If the CSO's hands are tied," he warns, "The companies risk leaving decisions to people that have a very different set of priorities," he said. "The agenda among the leaders of business units tends to be limited — sometimes only to profit."

Water-weak compliance
The problem, says Agreon's Brannigan, is that most of the regulations that organisations are looking to comply with have no real teeth.

Australian compliance legislation, he says, is weaker than its equivalent in the US. The act or process of attempting to comply is treated as acceptable rather than compliance itself.

You can fail in Australia, and there are no real consequences.

Brian Brannigan, managing director Agreon Systems

"You can fail in Australia, and there are no real consequences," he says. "I know a number of companies that have failed security audits consistently."

Peter Croft, managing director of security vendor Clearswift said that regulations are pointless if appointing a person with the right title is all an organisation requires to be considered compliant. "It's a good start, but it's not the whole answer."

Agreon's Brannigan is certain that situation will change — that securing sensitive data, particularly private data, will become enshrined in law.

"I bet my career on it," he says. "Increasingly it will be backed by legislation and real consequences. We're seeing that around the world."

The Australian Law Reform Commission, for example, has slated data breach notification requirements as part of proposed amendments to Australia's privacy laws it prepared last year.

"If that goes through and becomes law then Australia is in for some long overdue growing pains," says IBRS security analyst James Turner. "Australian organisations perform very well at keeping credit card fraud much lower than the countries we like to compare ourselves to. But the toll on the individual of identity theft is still way too high. It might be an acceptable level of risk to the bank but its not acceptable for the individual who has their credit card details leaked. You can't tell me that those people aren't suffering."

Sometimes that means carrot, and sometimes it means stick.

James Turner, IBRS security analyst

Turner says that he speaks to many organisations that would be in some strife if such legislation came through. "A lot of hands are busy sweeping [data breaches] under the carpet at the moment," he says.

"A lot of lazy practices we've got used to are going to have to come to an end very quickly," agrees Agreon's Brannigan. "The only way to make it happen is new legislation. I am hopeful that within Rudd's Government, the responsibility to protect an individual's identity will be passed. And hopefully that will clear up opportunities for CSO's."

"Legislation is about transferring risk," says IBRS's Turner. "If a company doesn't think that it's cost-effective to take care of its customers' records, then it's the government's job to make it cost effective. Sometimes that means carrot, and sometimes it means stick."

The government will look at changing the legislation around privacy including data breaches, according to Senator John Faulkner speaking this week.

Re-thinking the CSO role
In the meantime, the CSO still has to maintain IT security at an acceptable level with other means than the threat of regulatory action.

The role of the CSO, says Turner, needs to be revisited. He believes that it is more important for the CSO to be a "gatekeeper and semi-autonomous think-tank" than the central office for launching security technology projects.

"The CSO is primarily there to help the business understand how and why security is relevant to business processes," he says. "The best gift you can give to senior people is a well-thought and well-articulated contrasting opinion."

The best gift you can give to senior people is a well-thought and well-articulated contrasting opinion.

James Turner, IBRS security analyst

"It isn't about being a killjoy. It's about going through the IT department with new eyes and challenging the sacred traditions which naturally build up in any collection of people."

Mark Pullen, country manager for security vendor RSA, recommends that CSO's dig deep in the organisation and seek buy-in from all the organisation's business units.

"I'd pull together a person from every line of business to form a risk committee," he said. "I would ask that the committee meets regularly to talk about what risks they each face. Many will find they have the same problems, or could use the same repeatable solutions, as the others."

An assessment of risk, Pullen asserts, drives discussion within the business. "As the CSO, you need to make it clear that risk doesn't belong to the IT security department, it belongs to the business."

"Business is all about risk. It's about taking capital and risking it for profit. That's why businesses exist. What the CSO should be saying to the business units is — this risk is yours, but I will help you with it. I'm here to help."