http://software.silicon.com/security/0,39024655,39154826,00.htm By Will Sturgeon 5 December 2005 The noise being made about the importance of having a dedicated security professional within organisations and the actual number of such appointments appear greatly at odds. Recent figures show only a quarter of companies currently have a chief security officer (CSO), leading some to say the resistance is a result of businesses recognising a fad when they see one. Jay Heiser, research VP at Gartner, told silicon.com he believes companies still need to better understand the security challenge and said many companies will begin to realise the value of a dedicated "figurehead" in helping them grasp concepts such as risk. "There are more and more companies putting them in place," said Heiser of the slow but steady growth in popularity of CSOs and chief information security officers (CISO). But he admits many may be put off by what sounds like yet another vanity job title. "Today lots of organisations see the way to jumpstart and manage a process is to put a 'C' in front of somebody's job title," said Heiser. "But I wouldn't say it's a fad." But nor is a CSO or CISO right for every firm. Heiser said the size, complexity and connectivity of the organisation are all going to be factors in determining whether such an appointment is a necessary addition to the workforce. As such Heiser said banks and other financial services firms are ahead of the curve in terms of adopting a high-level dedicated information security professional. He said ecommerce and other highly web-dependent businesses are also leading the way. The CSO is charged with gaining a greater understanding of how business and security are complementary, rather than the latter being a restriction on the former, with MBAs a favoured qualification over more technical letters after their name, said Heiser. Heiser added he was surprised by a recent MORI poll which found that only 24 per cent of organisations have appointed a CSO. This was despite the fact 30 per cent believe they face a high risk of being targeted or hit by a security breach. Companies with 500-plus employees are beginning to acknowlede the need for a CSO - or at least more so than their smaller peers, with 41 per cent saying they do employ a dedicated security chief. At smaller companies the figure fluctuated around the mid-teens in percentage terms. Within these results there is also a further breakdown in terms of what companies expect from their security chief. Gartner's Heiser said the distinction between CISO and CSO is important, as the former tends to deal solely with the safeguarding of data and information while the latter may also have a role which encompasses physical security of premises and employees. Of those respondents to the MORI survey who do have a CSO, 58 per cent employ that person to manage all security policy and processes within the enterprise - both physical and digital. Simon Perry, VP security strategy at CA, who commissioned the MORI survey, told silicon.com: "The presence of a CSO is usually indicative of a sense of maturity in the approach to security." "Good security implementation comes first and foremost from the fostering of a secure culture in an organisation. It's not about the technology it's the people and processes too." The CSO is responsible for creating and steering that culture, said Perry. _________________________________________ Earn your Master's degree in Information Security ONLINE www.msia.norwich.edu/csi Study IA management practices and the latest infosec issues. Norwich University is an NSA Center of Excellence.
This archive was generated by hypermail 2.1.3 : Tue Dec 06 2005 - 02:58:57 PST