[ISN] Diverse skills needed for CSO function, group says

From: InfoSec News (isn@private)
Date: Mon Dec 08 2003 - 02:27:21 PST

  • Next message: InfoSec News: "[ISN] Linux Advisory Watch - December 5th 2003"

    Forwarded from: William Knowles <wk@private>
    
    http://www.computerworld.com/securitytopics/security/story/0,10801,87862,00.html
    
    Story by Jaikumar Vijayan 
    DECEMBER 05, 2003
    COMPUTERWORLD 
    
    A knowledge of information security risk management is just one of the
    many skills a chief security officer needs for crafting, influencing
    and directing an effective organizationwide protection strategy.
    
    Increasingly, the job also calls for an understanding of issues as
    diverse as emergency preparedness, crisis management and response,
    physical security, disaster recovery, and privacy and regulatory
    matters. That's the assessment of Alexandria, Va.-based ASIS
    International, a 33,000-member group of security professionals that
    this week released draft guidelines that companies can use when
    developing CSO positions.
    
    "There's been a lot of discussion on the need for organizations to
    create a centralized governance function for many areas of risk," said
    Jerry Brennan, president of Vienna, Va.-based Security Management
    Resources Inc. and one of the drafters of the document.
    
    The guidelines are the result of an attempt to give a formal
    definition of the scope, responsibilities for reporting relationships
    and experience needed to do the job, he said.
    
    "There wasn't much available that addressed the pulling together, from
    a governance perspective, of all of the areas of security risk that an
    organization faces," Brennan said. "So we decided to try and craft a
    document that would be broad-based and truly represent what the CSO
    position would be in an organization."
    
    The ASIS guidelines come at a time when a growing number of security
    professionals say there needs to be a top-level management position to
    oversee all aspects of operational risk. "I have always found it
    preposterous to suggest that there are separate disciplines that
    require separate management" when it comes to operational security,
    said Dennis Treece, director of corporate security at the
    Massachusetts Port Authority in Boston.
    
    For example, installing a privacy officer who is separate from the
    rest of the security team only "fragments the effort and ensures that
    the physical and virtual aspects of privacy have to be laboriously
    coordinated," Treece said. The same is true when it comes to having
    separate chief information security officer and CSO functions. "Having
    been both separately and now both at the same time, I can state with
    confidence that combining them makes the most sense," he said.
    
    Even so, security professionals agree that only a relatively small
    number of companies have created a formal CSO function because of the
    substantial political and organizational challenges that need to be
    overcome in doing so.
    
    The popular notion of the CSO being in charge solely of IT and
    physical security functions has also limited the effectiveness of the
    role, said David W. Stacy, global IT security director at St. Jude
    Medical Inc., a $1.6 billion manufacturer of medical equipment in St.  
    Paul, Minn.
    
    "I prefer the concept of the chief risk officer that encompasses these
    two areas" while also including other functions such as privacy, risk
    insurance and regulatory compliance, Stacy said.
    
    "So, moving to a CSO model that only deals with IT security and
    physical security may be a logical first step to eventually getting to
    a CRO model," he added. "But even having a CSO would be a revolution,
    as opposed to an evolution, in many organizations."
    
    Some security professionals have trouble with the concept of having an
    all-encompassing role. For one thing, "there is a huge difference
    between the practice of physical security management and information
    security management," said Eddie Schwartz, chief technology officer at
    Securevision LLC, a Fairfax, Va.-based consultancy. "While both
    disciplines have the use of technology as a common element, the
    background and education of the practitioners are distinct."
    
    There's also the danger of rolling far too many functions under the
    CSO umbrella, Schwartz said. "It's an unnatural organization of
    activities and doomed to failure in most organizations," he said.
    
    
     
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ----------------------------------------------------------------
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ================================================================
    Help C4I.org with a donation: http://www.c4i.org/contribute.html
    *==============================================================*
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Dec 08 2003 - 04:55:21 PST