How can a CSO take ownership of a security program?
When it comes to information security, Department of Defense organizations have cut-and-dry requirements to meet. Most DoD organizations I have worked with, however, feel that information security is the IT department's responsibility. How does a new chief security officer (CSO) get an organization to take ownership of the security program?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Information security is everyone's responsibility. Every employee must do the right thing and protect the data and systems within his or her control. But it is the chief security officer (CSO) who is accountable for the results of the security program. Hopefully, the difference is clear.

It's also important to note that the CSO is a position of influence, as most of the resources needed to successfully run a security program reside in multiple groups. For instance, the network operations team tends to run the firewalls and IPS gear. The data center managers are responsible for patching the servers and securing the databases. Yet someone has to assume responsibility to make sure that everything works together, business systems remain available and data is appropriately protected.

What I'm alluding to here is that every CSO needs to manage the security PROGRAM, and they do this without directly controlling people or tools. Right, that's a tall order.

As I describe in the Pragmatic CSO, the job of the CSO is now more about persuading senior managers and IT colleagues to implement good security practices. This is a multi-stage process that is radically different than one that most security professionals have used in the past. But given the new reality of such a wide distribution of resources, most CSOs have no choice but to act more Pragmatically.

Those in the DoD need to express security within the context of the military business, just as those in commercial enterprises need to make security relevant to their business operations.

More information:

  • Should capable network managers stretch their duties into the security space, perhaps acting more like a CSO? Contributor Shon Harris explains.
  • Make sure your information security governance program is focused and effective.

    • This was first published in April 2007