Regardless of organization vertical or size, security has been and will continue to be an incredibly important part of the risk management portfolio. It’s how security is handled that will determine the overall effectiveness of chief security office position, though.
The security spectrum
Security is generally seen as a spectrum. At one end of the spectrum is the wild west kind of environment. In the wild west, anything goes and security is an afterthought. In such environments, there is generally no security officer and every employee just does what they want when they want it. If there is any security, it’s left up to the individual. In these environments, employees can always get their job done thanks to the lack of red tape, but there is a high risk of downtime and data compromise.
At the other end of the spectrum is a place like Fort Knox, where there are multiple levels of firewalls, user don’t have any rights, and the security officer always says “No” to any request. In these environments, security is right, but users are constantly frustrated by their inability to perform basic job functions.
Both kinds of organizations exist and both are doing it wrong. I have, unfortunately, seen both in person.
The security officer will understand the nuances of this spectrum and be able to make the right call to the best benefit of the business.
Security means analyzing risk
Security is not about minimizing risk. Security is not about eliminating risk. Security is not about always saying no to any request that crosses the desk. Security is about analyzing a situation or request and then making a determination as to whether or not any potential associated risk is acceptable to the business. In other words, it’s a cost/benefit analysis. If the benefits outweigh the costs to a sufficient degree, then the job becomes determining ways to minimize that potential risk, but only once the request has been vetted.
I’ve seen CSOs that take a shoot first approach and reject out of hand proposals that cross their desks only to have their decisions overridden by more senior executives that reviewed the entire situation rather than just exert control. In most cases, the initial request was perfectly valid, but the CSO felt that his job was to deny anything out of the ordinary. In some cases, I’ve seen the CSO become the primary bottleneck in major organization-wide projects that carried critical externally-imposed deadlines. One has to question the effectiveness of a CSO that is consistently overridden (correctly) by superiors or that fails to understand an organization’s priorities.
The CSO will:
- NOT eliminate risk. Eliminating risk is not an achievable goal and will do long term damage to the organization.
- Assess risk and make business-focused decisions regarding request.
- Collaborate with others in the business in an attempt to fully understand needs.
Business and regulatory acumen is as important as technical
CSO’s must have highly technical skills that they can use to determine the security posture of the organization. At the same time, security officials must have some business acumen. These business chops become critical when the CSO needs to make decisions. With such knowledge, the CSO risks making decisions that are contrary to an organization’s needs. There are times in an organization’s life, for example, when immediate need outweighs other considerations, but understanding these facts requires a CSO that is looped into the conversation and that can make the right call.
A CSO’s business knowledge will also be reflected in his understanding of the regulatory environment under which the business operates. Sometimes, a CSO decision must be driven by regulations. However, as is the case with anything, regulation shouldn’t be used as a convenient excuse. I have been involved in situation in which the CSO quoted regulations as a reason for denying a series of requests only to see his decisions overridden since his justification was wholly inaccurate. When these things happen, it erodes confidence in real compliance efforts and results in decreased efficiency.
The CSO will:
- Have the ability to understand a request and do a cost benefit analysis to help determine whether potential risk is worth the outcome.
- Have broad knowledge of the regulatory environment in which the organization operates.
- Make decisions based on a variety of factors.
More than just information security
Increasingly, organizations are turning to CSOs as one-stop shops for all security needs, both physical and technical. As physical security has come to deeply leverage technology, this closing of the gap between the physical and technical is to be understood. CSOs also need to play a role in overall business continuity planning efforts, particularly in organizations that view the CSO as a “protector” of the organization.
When done right, the CSO role is an integral part of an organization’s overall risk management architecture. When done wrong, the CSO role is an expensive paper pusher that could hold back key initiatives. Organizations need to carefully and continually assess their CSO role to make sure that overall information security efforts are matching business needs and outcomes.