Diverse skills needed for CSO function, group says

Computerworld - A knowledge of information security risk management is just one of the many skills a chief security officer needs for crafting, influencing and directing an effective organizationwide protection strategy.
Increasingly, the job also calls for an understanding of issues as diverse as emergency preparedness, crisis management and response, physical security, disaster recovery, and privacy and regulatory matters. That's the assessment of Alexandria, Va.-based ASIS International, a 33,000-member group of security professionals that this week released draft guidelines that companies can use when developing CSO positions.
"There's been a lot of discussion on the need for organizations to create a centralized governance function for many areas of risk," said Jerry Brennan, president of Vienna, Va.-based Security Management Resources Inc. and one of the drafters of the document.
The guidelines are the result of an attempt to give a formal definition of the scope, responsibilities for reporting relationships and experience needed to do the job, he said.
"There wasn't much available that addressed the pulling together, from a governance perspective, of all of the areas of security risk that an organization faces," Brennan said. "So we decided to try and craft a document that would be broad-based and truly represent what the CSO position would be in an organization."
The ASIS guidelines come at a time when a growing number of security professionals say there needs to be a top-level management position to oversee all aspects of operational risk. "I have always found it preposterous to suggest that there are separate disciplines that require separate management" when it comes to operational security, said Dennis Treece, director of corporate security at the Massachusetts Port Authority in Boston.
For example, installing a privacy officer who is separate from the rest of the security team only "fragments the effort and ensures that the physical and virtual aspects of privacy have to be laboriously coordinated," Treece said. The same is true when it comes to having separate chief information security officer and CSO functions. "Having been both separately and now both at the same time, I can state with confidence that combining them makes the most sense," he said.
Even so, security professionals agree that only a relatively small number of companies have created a formal CSO function because of the substantial political and organizational challenges that need to be overcome in doing so.
The popular notion of the CSO being in charge solely of IT and physical security functions has also limited the effectiveness of the role, said David W. Stacy, global IT security director