It's also important to note that the CSO is a position of influence, as most of the resources needed to successfully
run a security program reside in multiple groups. For instance, the network operations team tends to run the firewalls and IPS gear. The data center managers are responsible for patching the servers and securing the databases. Yet someone has to assume responsibility to make sure that everything works together, business systems remain available and data is appropriately protected.
What I'm alluding to here is that every CSO needs to manage the security PROGRAM, and they do this without directly controlling people or tools. Right, that's a tall order.
As I describe in the Pragmatic CSO, the job of the CSO is now more about persuading senior managers and IT colleagues to implement good security practices. This is a multi-stage process that is radically different than one that most security professionals have used in the past. But given the new reality of such a wide distribution of resources, most CSOs have no choice but to act more Pragmatically.
Those in the DoD need to express security within the context of the military business, just as those in commercial enterprises need to make security relevant to their business operations.
Dig deeper on Information Security Policies, Procedures and Guidelines
Related Q&A from Mike Rothman, Contributor
In the world of security certifications, what is the GISP and how alike is it to the CISSP? In this security management expert response, learn about ...continue reading
Depending on your enterprise, it may or may not be necessary to utilize a QSA. In this security management expert response, learn how to determine ...continue reading
When developing software securely, what role does gap analysis play? In this security management expert response, learn how to implement gap analysis...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.