16 April 2008

Security Officer should have more Strategic Role

John Sterlicchi, US Bureau Chief, reporting from RSA

When it comes to defining what a Chief Security Officer does in an enterprise think less of a corporate cop and more of a business enabler. That was the message at the RSA Conference from Dave Hansen, former CIO at CA and now a senior vice president and general manager of the company’s Security Management business.

At present 46 percent of CSOs spend up to a third of their day just analyzing security event reports and that is not good use of their time said Hansen.

“Instead, the CSO should be deeply engaged in understanding the lines of business and devising ways to use security to increase efficiency and drive profitable growth. That’s what strategic security is all about," he said.

“No longer merely an enforcer of security protocol, the CSO works with the CIO, CFO and other C-Suite executives as a business enabler, a strategist, and a security evangelist who helps the organization recognize the need to embed secure practices in every facet of the business,” he added.

Hansen told his audience that nowadays there’s a lot of debate about to whom the CSO should report. “Some favor having the position report to the Audit Committee of the Board of Directors. Some say it should be the office of the Chief Counsel. Others say the CIO or even the CEO.”

He believed that where exactly the CSO reported was less important than ensuring that the CSO was working closely with the organization’s senior leaders. “Security demands an executive voice with the appropriate degrees of insight and muscle behind it.”

As to the future, he said that as companies migrate to Software as a Service, the demands on the CSO will continue to evolve. Greater agility in responding to customer needs will be essential and an ever deeper interaction with the business will be the norm.

News index