Comment: A logical shortfall for the ‘complete CSO’

19 July 2010
Paul Johnson, Meridian

Meridian’s Paul Johnson examines the differences between CSO and CISO and makes the case as to why small and medium-sized organisations must consider logical security training if they choose to employ an all-encompassing CSO, rather than separating logical security responsibilities out to a separate CISO.

 

This article is featured in:
Compliance and Policy • Security Training and Education

 

Comments

Piers Bencard says:

25 July 2010
Paul Johnson article suggests that a Chief Information Security Officer (CISO) cannot be a person who has come from a non technical background in a small to medium sized enterprise. The reason he gives is that the CISO must be able to change the default configuration on a network security product. He later goes on to state:
“An IT manager will, of course, have a view on the best way forward, but it is the CISO’s responsibility to digest this advice and align this with the business strategy.”
And
“For IT managers, working with a CSO without the right level of logical security knowledge ...”

This infers that the organisation retaining the CSO also has an IT manager. If so, why is the CSO re-configuring the network device in the first place.
Mr Johnson then goes on to suggest that if the appointed Chief Officer does not have the right level of training then they must be trained to enable them to make the correct decisions; I wholeheartedly support this. Indeed, I would suggest that any new network appliance (they all need to be correctly configured when initially installed) will require a network technician, or other IT professional with in-depth technical knowledge, to be trained in its correct function, as the variance from one release to another of the same piece of hardware may be significant, let alone a new piece of hardware that the person installing it has not seen before.
In my opinion, the Chief Security Officer needs to have no more experience in re-configuration of a network security device than he or she does in the correct implementation of a physical security measure. The Chief Officer, in any department, is not there to get involved in the work at the coal face if it can be helped in any way, they are more in the line of politicians and, while leadership of their particular function is very important, the coal face should not be their prime concern. The Chief Officer’s three most important functions are:
To represent their ‘function’ to the CEO and the board.
To assist the board in the formulation of policy based on sound decisions made from experience and research in their field.
To provide a conduit between the CEO/the board and the team providing their function.
For a Chief Security Officer, I would prefer to see a greater knowledge of the business as a whole, of the information assets that the business is responsible for and a true understanding of risk.

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article