Yesterday's balkanized approach isn't going to get you where you want to go—or reduce your company's risk. CSOs need to seize the opportunities now to centralize security or pay the price later.
IT'S BECOMING CLEARER and clearer to me that members of the information security community are enamored with the CSO title and have taken it for their own. And apparently there's nobody to challenge them or to correct this overstatement of responsibilities.
In fact, this very magazine recently ran an article noting the creation of the Global Council of CSOs comprising highly regarded information risk management professionals. In it, Howard Schmidt was asked to comment on the apparent lack of inclusion of physical security in the Council's scope. Schmidt confessed that he's "been forgetting to do that." Unfortunately, such oversight sums up the current landscape where we CSOs are unable even to define the elements of corporate protection within our scope of responsibility. (I'm just as dismayed, by the way, at the prospect of a CSO who owns only physical security and investigations as I am by one who is the sole proprietor of information security.)
Why does this balkanized viewpoint bother me? Because security is fundamentally about risk. The business imperative is sponsored by broader, deeper and more immediate risk, and the consequences potentially include corporate and executive survival. Board members and senior executives can no longer think simplistically about securing their corporation with antivirus software and a physical security program comprising a low-bid guard contract and an access control system. CSOs need a business model that clearly defines the scope of security responsibilities and a job description that includes oversight of securing every aspect of the organization.