[ISN] Security 'head honcho' role divides firms

[InfoSec News]

http://software.silicon.com/security/0,39024655,39154826,00.htm

By Will Sturgeon
5 December 2005

The noise being made about the importance of having a dedicated
security professional within organisations and the actual number of
such appointments appear greatly at odds.

Recent figures show only a quarter of companies currently have a chief
security officer (CSO), leading some to say the resistance is a result
of businesses recognising a fad when they see one.

Jay Heiser, research VP at Gartner, told silicon.com he believes
companies still need to better understand the security challenge and
said many companies will begin to realise the value of a dedicated
"figurehead" in helping them grasp concepts such as risk.

"There are more and more companies putting them in place," said Heiser
of the slow but steady growth in popularity of CSOs and chief
information security officers (CISO).

But he admits many may be put off by what sounds like yet another
vanity job title.

"Today lots of organisations see the way to jumpstart and manage a
process is to put a 'C' in front of somebody's job title," said
Heiser. "But I wouldn't say it's a fad."

But nor is a CSO or CISO right for every firm. Heiser said the size,
complexity and connectivity of the organisation are all going to be
factors in determining whether such an appointment is a necessary
addition to the workforce.

As such Heiser said banks and other financial services firms are ahead
of the curve in terms of adopting a high-level dedicated information
security professional. He said ecommerce and other highly
web-dependent businesses are also leading the way.

The CSO is charged with gaining a greater understanding of how
business and security are complementary, rather than the latter being
a restriction on the former, with MBAs a favoured qualification over
more technical letters after their name, said Heiser.

Heiser added he was surprised by a recent MORI poll which found that
only 24 per cent of organisations have appointed a CSO. This was
despite the fact 30 per cent believe they face a high risk of being
targeted or hit by a security breach.

Companies with 500-plus employees are beginning to acknowlede the need
for a CSO - or at least more so than their smaller peers, with 41 per
cent saying they do employ a dedicated security chief.

At smaller companies the figure fluctuated around the mid-teens in
percentage terms.

Within these results there is also a further breakdown in terms of
what companies expect from their security chief.

Gartner's Heiser said the distinction between CISO and CSO is
important, as the former tends to deal solely with the safeguarding of
data and information while the latter may also have a role which
encompasses physical security of premises and employees.

Of those respondents to the MORI survey who do have a CSO, 58 per cent
employ that person to manage all security policy and processes within
the enterprise - both physical and digital.

Simon Perry, VP security strategy at CA, who commissioned the MORI
survey, told silicon.com: "The presence of a CSO is usually indicative
of a sense of maturity in the approach to security."

"Good security implementation comes first and foremost from the
fostering of a secure culture in an organisation. It's not about the
technology it's the people and processes too."

The CSO is responsible for creating and steering that culture, said
Perry.