So who is an ideal chief security officer? A techie who can manage? Or a manager who knows technology?
That question is hard to answer, given the varied nature of the CSO position, which is still very much in its infancy. There are at least a dozen titles companies are using for people in this position. What they all have in common, however, is their focus on security, as they make high-level policy decisions and strive to create corporate cultures that are respectful of security.
"Their primary job is to be a change agent in the way people work, both in terms of policies and procedure and in terms of the culture," said Peter Gregory, a consultant with the Woodinville, Wash.-based HartGregory Group.
That person needs to be savvy enough to enact effective change that improves security, without alienating end users or management. "It won't work if people don't respect the CSO," Gregory said.
In other words, a CSO's job is not to say "no" to all requests because of security risks, but to find ways to do things like telecommuting securely, said Frank Jaffe, CSO of Portland, Maine-based electronic payment provider Clareon Corp. "I want users to buy into security and realize everybody is part of the solution," he said.
Jaffe doesn't see his role as necessarily a technical one. "I try not to get too enamored with the technology and forget my role," he said. "My job is not a technical job, though I deal with a lot of technology. I have a more business-practice role."
Whether a CSO should be particularly technical depends on the company, Jaffe said. A CSO of a smaller company may have more hands-on duties, so that person would need more technical skills. A CSO at a large company would be much more focused on processes, so being technically savvy isn't so necessary, he said.
Regardless, an effective CSO needs to communicate effectively with the rest of the management team so their "priorities aren't ignored," Jaffe said. "My job is successful when other members of the management team don't have to worry about security because I have it handled."
Dave Juitt sees himself as fluent in both the language of technology and of business. Juitt does double duty at Burlington, Mass.-based Bluesocket as its CTO and chief security architect. His duties range from supervising security training of personnel to explaining security issues to the board of directors for the company, which specializes in securing wireless local area networks.
Juitt can talk about firewalls and IDS with his network people, but he can also discuss how security impacts business needs with the company's board of directors. His job is not to get lost in the technology but to see how it will help the company achieve its business goals.
"You can have the best technology in the world, but without education, policy and ongoing testing, you haven't even started," Juitt said.