Diverse skills needed for CSO function, group says

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.computerworld.com/securitytopics/security/story/0,10801,87862,00.html

Story by Jaikumar Vijayan 
DECEMBER 05, 2003
COMPUTERWORLD 

A knowledge of information security risk management is just one of the
many skills a chief security officer needs for crafting, influencing
and directing an effective organizationwide protection strategy.

Increasingly, the job also calls for an understanding of issues as
diverse as emergency preparedness, crisis management and response,
physical security, disaster recovery, and privacy and regulatory
matters. That's the assessment of Alexandria, Va.-based ASIS
International, a 33,000-member group of security professionals that
this week released draft guidelines that companies can use when
developing CSO positions.

"There's been a lot of discussion on the need for organizations to
create a centralized governance function for many areas of risk," said
Jerry Brennan, president of Vienna, Va.-based Security Management
Resources Inc. and one of the drafters of the document.

The guidelines are the result of an attempt to give a formal
definition of the scope, responsibilities for reporting relationships
and experience needed to do the job, he said.

"There wasn't much available that addressed the pulling together, from
a governance perspective, of all of the areas of security risk that an
organization faces," Brennan said. "So we decided to try and craft a
document that would be broad-based and truly represent what the CSO
position would be in an organization."

The ASIS guidelines come at a time when a growing number of security
professionals say there needs to be a top-level management position to
oversee all aspects of operational risk. "I have always found it
preposterous to suggest that there are separate disciplines that
require separate management" when it comes to operational security,
said Dennis Treece, director of corporate security at the
Massachusetts Port Authority in Boston.

For example, installing a privacy officer who is separate from the
rest of the security team only "fragments the effort and ensures that
the physical and virtual aspects of privacy have to be laboriously
coordinated," Treece said. The same is true when it comes to having
separate chief information security officer and CSO functions. "Having
been both separately and now both at the same time, I can state with
confidence that combining them makes the most sense," he said.

Even so, security professionals agree that only a relatively small
number of companies have created a formal CSO function because of the
substantial political and organizational challenges that need to be
overcome in doing so.

The popular notion of the CSO being in charge solely of IT and
physical security functions has also limited the effectiveness of the
role, said David W. Stacy, global IT security director at St. Jude
Medical Inc., a $1.6 billion manufacturer of medical equipment in St.  
Paul, Minn.

"I prefer the concept of the chief risk officer that encompasses these
two areas" while also including other functions such as privacy, risk
insurance and regulatory compliance, Stacy said.

"So, moving to a CSO model that only deals with IT security and
physical security may be a logical first step to eventually getting to
a CRO model," he added. "But even having a CSO would be a revolution,
as opposed to an evolution, in many organizations."

Some security professionals have trouble with the concept of having an
all-encompassing role. For one thing, "there is a huge difference
between the practice of physical security management and information
security management," said Eddie Schwartz, chief technology officer at
Securevision LLC, a Fairfax, Va.-based consultancy. "While both
disciplines have the use of technology as a common element, the
background and education of the practitioners are distinct."

There's also the danger of rolling far too many functions under the
CSO umbrella, Schwartz said. "It's an unnatural organization of
activities and doomed to failure in most organizations," he said.


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
----------------------------------------------------------------
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
================================================================
Help C4I.org with a donation: http://www.c4i.org/contribute.html
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.