The role of the cyber security officer is more demanding now than ever before, owing to advances in technology, especially in miniaturization and mobility; more national and global network interfaces to his or her corporation; and more sophisticated attacks. The challenges have never been greater but they will be over time.
Where It Began and Its Evolution and Revolution
We began with only physical security, as after all, the ENIAC and other computers did not connect to the world. A guard, a paper-authorized personnel access list, an alarm, and such were all that were needed in those early days. But as the computer evolved over time, so did the profession of the cyber security officer.
The security profession at that time was primarily made up of retired or former law enforcement or military personnel, who had no interest in computer security. They knew physical security, investigations, and personnel security. This new thing called a computer was best left to the computer scientists and engineers.
As systems evolved, so did the departments responsible for their support. Departments that were once engineering departments perhaps became information resource management departments and later became known as information technology (IT) departments. The protection of this new technology stayed with the IT people. However, the computer security positions within the IT departments also evolved.
As the microprocessor and its related technology developed, the once-separated telecommunications and computer staffs began their integration. Consequently, the “computer security” profession began to also consider the protection of information as it flowed through telecommunications links. As the Internet evolved, the need for protecting information as it was displayed, such as on Web sites, also became an important task for those responsible for protecting the hardware, software, and firmware.
Information and related systems are some of a business’s most valuable assets, one can argue, second only to the employees. In fact, although no one in management within a business would ever prioritize assets to place information and systems above the employees—at least not publicly—people can always be
replaced, and replaced at less cost and adverse impact to the business, than trade secrets and information networks. However, that will probably remain an unspoken issue because of the sensitive nature of valuing machines over humans.
When we think about it, though, information really is business’s No. 1 asset. After all, employees can be terminated, even replaced by computers, and the business survives. In fact, profits may even increase because of lower labor costs. However, eliminate an intranet or national or global information infrastructure connection and the business could be lost.
Today, the cyber security officer position is generally still part of the IT department’s function. Now, the cyber security officer is responsible for the protection of information and the systems that store, process, transmit, and display that information. The cyber security officer profession has matured into a separate profession, and in most large-to-medium companies, it is more than a part-time job or additional responsibility these days. In smaller businesses it remains mostly a part-time job or is outsourced with other security-related functions.
Information systems of various types, such as cellular phones, notebook computers, personal digital assistants, and fax machines, are all used to process, store, transmit, and display information. These devices are becoming more and more integrated into one device. Couple this phenomenon with the hard copies being produced, and one finds that information may be protected on an intranet but leaked through a cellular phone or printed on paper and then taken out of the business’s facilities.
Case Study
Cellular phones are becoming smaller and smaller. Digital cameras are also being installed into these cellular phones. Since management wants their employees to have the latest high-technology devices that help support the business in the most efficient and effective way possible, employees are issued cellular phones. The cellular phones with digital cameras integrated into them allow employees to digitally send photographs as part of their business communications processes. It also provides the opportunity for the employee to photograph sensitive documents, facilities, and such and send the photos directly to unauthorized sources. Thus, there is now another method of performing “Netspionage” (network-enabled espionage). As a cyber security officer, do you have policies, etc., in place to mitigate this new threat?
The cyber security officer position must evolve to be responsible not only for protecting information and systems related to, or the responsibility of, the IT department, but also for protecting all of the business’s information
assets. It is ridiculous to have the business security professional responsible for the security of company assets, including hard-copy documents, people, and facilities, and leave the protection of automated information and systems essentially to IT people. These positions must be integrated to provide a holistic asset protection approach. This may be accomplished through the evolution of the cyber security officer professional into more than a “computer protector” and the security manager into more than a physical security manager. Here in 2016, we are slowly, grudgingly getting there, but ever so slowly, except when it comes to management fixing blame, of course.
The cyber security officer position is evolving, but no real, permanent, standardized “home” has been identified for the cyber security officer position. It depends on the structure and culture of the corporation in which he or she is employed. We do see signs of this changing as this evolution continues, from guard, computer scientist, engineer, IT specialist, computer security specialist, to information security (InfoSec) to cyber security officer, with some indications of change to corporate information assurance officer or corporate information security officer or cyber security officer. In some cases, the evolution of the profession has already led to making the cyber security officer a part of executive management in the position of a vice president. Of course this varies, as can be expected, by the culture of the corporation.
Still, the evolution must continue until all information and systems are integrated into a total business cyber security profession. This requires the combining of business (corporate) security, for example, physical security and personnel security, and the cyber security officer responsibilities. It is the best way to safeguard all business assets in a holistic and cost-effective manner, but again, based on the corporate culture.