24 A Practical Guide to Security Assessments
a number of changes in their businesses — specifically at the organization level.
Some of the changes that have occurred and are discussed in detail in the next few
sections include:
• Rise of the Chief Security Officer (CSO)
• Separate organizations dedicated to information security
The organization is a critical part of a security assessment. Organizations speak
to roles and responsibilities and ownership of the security function. How information
security is handled from an organizational perspective is based on several factors
including budget, personnel, and most important — how to best align security
personnel and organization so that security risk is managed effectively. An informa-
tion security program with the best processes and technology can be completely
ineffective without the right organization structure and clearly defined roles and
responsibilities. One of the challenges when conducting a security assessment is a
company’s tendency to focus on technology when talking security. The organization
aspect and clearly defined roles and responsibilities are critical for the success of
an information security program.
RISE OF THE CHIEF SECURITY OFFICER
One of the major shifts that the industry has seen is the coming of the Chief Security
Officer (CSO). This would typically be an executive- or management-level position
with overall responsibility for security. The CSO’s role will vary from company to
company but in general is very broad because it touches virtually every piece of
the company including technology, critical business processes, physical security,
investigations, and executive protection. The CSO must be aware of security, oper-
ational, and financial risks and issues facing a company and have the ability to
communicate and build relationships across organizational boundaries.
The advent of the CSO is a new trend that is a very positive step in realizing
the importance of information security. In a survey performed by CSO Magazine in
September 2002, where approximately 1,000 security professionals were surveyed,
37 percent said that they were in that position for less than one year and over
60 percent were in their positions less than two years.
13
Clearly, it is a new trend
but a very positive one. It is possible that many of these positions came to be in the
aftermath of the 9/11 tragedy in the United States, because that brought on a
heightened awareness of security.
Although having someone with the CSO title or having someone with overall
ownership for security is becoming more common, it is still an uphill battle to justify
security and show its value. This is largely because of the mentality — “since nothing
has happened, nothing is wrong—so why fix it?” This mentality gives senior man-
agement a false sense of confidence. A security officer with a global financial firm
recently commented, “The greatest threat we face is the belief of senior management
that there is no threat. So we don’t get funds, money, or resources, and without those
things, you can never address security threats and risks.”
14
There is a lack of edu-
cation within many companies at all levels from management on down about the
AU1706_book.fm Page 24 Tuesday, August 17, 2004 11:02 AM