RSS Alerts
Johnson says that although a large number of CSOs will have solid experience with managing physical security of the business, few will have the specialist logical security training to deliver an effective overarching strategy
Paul Johnson, Meridian

Share

More services

Related Links

Related Stories

  • Getting value from the CISO
    Unlike the IT organisation, information security is unlikely to be given an entrepreneurial role within the business. Most likely, the information security team is viewed as being a tactical commodity: providing services at as low a cost as possible with few of the strong business partnerships that are essential for the IT group, or a perception of shareholder value.
  • Comment: A logical shortfall for the ‘complete CSO’
    Meridian’s Paul Johnson examines the differences between CSO and CISO and makes the case as to why small and medium-sized organizations must consider logical security training if they choose to employ an all-encompassing CSO, rather than separating logical security responsibilities out to a CISO.
  • Securing Your Home Office
    Here’s an interesting question for all you information security professionals out there: how secure is your home IT? No, seriously. There’s no doubting that you have a handle on keeping data secure across the enterprise alright, but how clued up are you away from the office where things are actually rather different in terms of both risk and response? Davey Winder investigates
  • Securing your home office
    Here’s an interesting question for all you information security professionals out there: how secure is your home IT? No, seriously. There’s no doubting that you have a handle on keeping data secure across the enterprise alright, but how clued up are you away from the office where things are actually rather different in terms of both risk and response? Davey Winder investigates
  • A Superior (infosec) Education
    As the information security industry becomes more coveted, Wendy M. Grossman takes a look at the university courses available to aspiring and competing infosec professionals on both sides of the Atlantic
    Members' Content

Top 5 Stories

Feature

Comment: A logical shortfall for the ‘complete CSO’

19 July 2010
Paul Johnson, Meridian

Meridian’s Paul Johnson examines the differences between CSO and CISO and makes the case as to why small and medium-sized organisations must consider logical security training if they choose to employ an all-encompassing CSO, rather than separating logical security responsibilities out to a separate CISO.

Large businesses commonly separate the roles of CSO and CISO, relating to the stewardship of physical and logical security, respectively. However, in many small to medium-sized enterprises, one individual often takes responsibility for both of these key functions, be they titled CSO, CISO or even, mistakenly, CIO.

This seems like a marriage made in heaven. After all, established and entry-level professionals, particularly at security vendors, are commonly trained and aware of the key dangers, technical intricacies and legislative pressures surrounding both logical and physical security.

Furthermore, the links between these two categories are unquestionably clear, taking into account the growing trend for sophisticated social engineering to facilitate computer crime, and the hike in legislation that bands these two areas together. Yet, while the rationale for appointing one individual as a ‘complete CSO’ appears sound, the legacy of a trend that emerged around three or four years ago continues to expose businesses to potential breaches.

Information security has always been a key issue for industry insiders, but when it came to prominence with the rise of e-commerce, social networking and notable reductions in the price of computing infrastructure equipment, businesses recognised the need for a senior figure to take the lead on logical security. Up stepped the CSO. They had the trust of the CEO or managing director, some limited logical security experience, and their appointment did not require a costly new hire.

However, this is not the miracle solution that it might at first appear to be. Senior management teams often see the word ‘security’ and presume that the threats and the skills will be similar. Although a large number of CSOs will have good, solid experience with managing security of the business, particularly on the physical side, few will have the specialist logical security training to deliver an effective overarching strategy.

It is a real leap to move from an area where threats are visible and physical barriers can be put in place, to one where intruders are hidden behind a network or an unseen interface.

Of course, anybody can buy a network security product off the shelf. Good CISOs, however, will come into their own when it comes to customising the default configuration so that it works optimally for a specific business. This level of in-depth technical knowledge can be the most significant barrier to success – and, in many cases, the greatest threat to a business’s security.

For example, many CISOs must fulfil a range of obligations set out in payment scheme guidelines such as PCI DSS and ISO27001, most of which take a hard line on the actions that businesses must take to comply. However, in the absence of a common standard to govern all business activities, there are a wide range of conflicts and discrepancies, and there is no one definitive set of requirements.

It is difficult to take these standards together and get the ‘right’ answer at the best of times, and when an individual does not have the technical knowledge to make the best call, the task can be well nigh impossible. An IT manager will, of course, have a view on the best way forward, but it is the CISO’s responsibility to digest this advice and align this with the business strategy.

A lack of understanding can reach beyond compliance and bring up real difficulties both for internal IT teams and external consultants. Recommending a new firewall, for example, can seem an unnecessary expense for a senior manager who cannot understand why the existing product cannot be upgraded.

For IT managers, working with a CSO without the right level of logical security knowledge can be a constant battle in terms of day-to-day expenses. Moreover, even where such a CSO might be persuaded that a purchase is a good idea, he or she might then struggle to gain buy-in at board level when directors pose the difficult questions.

If it is unfeasible to appoint a knowledgeable network security professional to take responsibility for the logical security strategy, then it is vital that CSOs undertake the training that will set them in good stead to make and approve effective and reasoned decisions. Industry-recognised qualifications, such as the Certified Information Security Manager (CISM) or Certified Information Systems Auditor (CISA) programmes, enable holders to manage and audit their own systems, while a qualification such as the Certified Information Systems Security Professional (CISSP) will provide a good understanding of the technology itself.

Similarly, of course, a manager with an extensive knowledge of logical security would be expected to undergo training in physical security – it is a matter of fully understanding the threats they are managing, be they an intruder on-site or one looking to access the business’s confidential data from a computer.

Businesses, then, must make the investment in training CSOs to ensure the security of their organisation and its data. The existing individual may have a deep knowledge of the company and its particular physical security issues, but ‘inheriting’ the logical security role can present a challenge for which he or she is not prepared.

For many businesses, the threat to their networks is now far greater than the threat to their premises, and this must be taken seriously at the board level, with the guidance of an informed and skilled CSO.

Paul Johnson is a currently a director at UK-based Meridian, an NCC Group company. Johnson has worked in the technology industry for over fifteen years in senior management positions for Mondex and Multos certification authorities (MasterCard companies), and Keycorp Systems. He is a qualified electrical engineer with a degree in business management.

In 2001 Johnson established Meridian and undertook the role of managing director, developing the business to become a global audit and compliance company. He joined NCC Group as operational director upon its acquisition of Meridian, and is now responsible for the global delivery of the Meridian portfolio of audit and compliance services for NGC Group.

This article is featured in:
Compliance and Policy  • Security Training and Education

 

Comments

Piers Bencard says:

25 July 2010
Paul Johnson article suggests that a Chief Information Security Officer (CISO) cannot be a person who has come from a non technical background in a small to medium sized enterprise. The reason he gives is that the CISO must be able to change the default configuration on a network security product. He later goes on to state:
“An IT manager will, of course, have a view on the best way forward, but it is the CISO’s responsibility to digest this advice and align this with the business strategy.”
And
“For IT managers, working with a CSO without the right level of logical security knowledge ...”

This infers that the organisation retaining the CSO also has an IT manager. If so, why is the CSO re-configuring the network device in the first place.
Mr Johnson then goes on to suggest that if the appointed Chief Officer does not have the right level of training then they must be trained to enable them to make the correct decisions; I wholeheartedly support this. Indeed, I would suggest that any new network appliance (they all need to be correctly configured when initially installed) will require a network technician, or other IT professional with in-depth technical knowledge, to be trained in its correct function, as the variance from one release to another of the same piece of hardware may be significant, let alone a new piece of hardware that the person installing it has not seen before.
In my opinion, the Chief Security Officer needs to have no more experience in re-configuration of a network security device than he or she does in the correct implementation of a physical security measure. The Chief Officer, in any department, is not there to get involved in the work at the coal face if it can be helped in any way, they are more in the line of politicians and, while leadership of their particular function is very important, the coal face should not be their prime concern. The Chief Officer’s three most important functions are:
To represent their ‘function’ to the CEO and the board.
To assist the board in the formulation of policy based on sound decisions made from experience and research in their field.
To provide a conduit between the CEO/the board and the team providing their function.
For a Chief Security Officer, I would prefer to see a greater knowledge of the business as a whole, of the information assets that the business is responsible for and a true understanding of risk.

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012