What Might it Take to Be a Chief Security Officer in 2014?
The changing nature of corporate networks is morphing the way companies need to consider IT threats, and re-writing the role of the chief security officer.
Thinking of hiring someone new to oversee your IT security? Then here’s a word of warning: don’t bother digging out the job description you used for your last chief security officer (CSO) or chief information security officer (CISO) recruitment ad. Information security has always been a rapidly evolving field, with new threats popping up on a daily basis. But the scale of change has shifted significantly in recent years as a result of a range of high-profile trends.
“Now mobile devices and laptops are what you could buy in any retailer, so they are much easier to get hold of… even by bad guys who can reverse engineer them.”
This bring-your-own-device (BYOD) trend is difficult to fight. And, indeed, many corporations are trying to profit from it through special infrastructures. But BYOD carries a range of security challenges.
“BYOD management requires either isolation or inclusion, meaning that the devices need to be included in what you manage centrally,” states Martin Jartelius, CSO at Outpost24. “Network access control is the only way to truly allow BYOD.”
“Otherwise, we are at a point where you are allowed to buy equipment for partially private use, which can be centrally managed by your employer. Central management is a requirement for this to work well.”
In any event, trends such as BYOD, mobility, and cloud computing have blurred the boundaries between corporate networks and the outside world. That means new skills are needed to protect company systems and data.
Previously, believes Lior Arbel, chief technology officer at Performanta, CSOs and CISOs were “very technology-aware guys that needed to protect the organization from malware. The solutions on the market weren’t as wide as today.”
“There were some 10 to 15 technologies from different vendors that covered 90 percent of the list.”
Having a well-defined corporate boundary meant a professional with enough in-depth knowledge could happily introduce technologies and enforce policies that would keep the organization safe. Not so now.
“Being a CSO is getting more difficult both politically and technically,” comments Luther Martin, Voltage Security‘s chief security architect. “The technical issues are fairly obvious: dealing with the evolving issues like cloud computing, BYOD, and mobility.”
“The political issues that come with these technologies may actually be trickier to deal with than their technical aspects, and dealing with those sorts of issues can end up being something that CSOs spend more and more time on.”
This is because new technologies often make it easier for individual employees or even entire parts of an organization to easily work around a corporate security policy, he says.
If anyone with a credit card, for example, can start using cloud computing, it’s very hard to limit your corporate use of cloud computing to only approved or certified cloud providers.
And because it’s so easy to get your work email on your phone, it’s very hard to enforce a corporate security policy that prohibits or limits doing this. The upshot is tomorrow’s CSOs and CISOs can no longer be able to make do with in-depth technical knowledge.
Instead, they have to apply more analytical, strategic, and even creative thinking. “You need to have an understanding of the technicalities but also the need to be in tune with the business side,” states MTI security practice sales leader Simon Godfrey.
“You need to engage and work with a whole set of executives who may not be technical. You’ve got to identify the risks and put measures against them.”
Where do you find such a creature? Forget about the highly specialized technical environments, from software development firms to white-hat hacker group that might have produced great CSOs or CISOs a decade ago.
The skills now needed for the role are more likely to be found among people with a business background who have “a global view on threats and the changing threat landscape,” according to Garry Sidaway, global director of security strategy at NTT Com Security.
They’ll also need to embrace and manage change and understand how to collaborate, through information and intelligence sharing, within an increasingly complex and restricting compliance environment.
Tom Gaffney, technical director of F-Secure UK & Ireland, concludes: “The CSO has to find that balance between creating and sustaining a secure environment, whilst also enabling end-users to work unhindered.”
“This fine line that they walk is why they are often the most unloved person within an organization. It is their job to help people, from board members to temp staff, understand the threats, while knowing that they can still likely fall prey to an attack.”
“In this scenario, CSOs should be valued in how they operate while in crisis, not when things are doing well. Incident response is a business process involving IT, Legal, Human Resources, law enforcement, PR, and others. The CSOs in 2014 can show us how this is done well.”