These views indicate that a "dedicated" CSO is not a specimen found in many Asian enterprises.

Reporting Structure

One of the more sensitive issues surrounding the new office of a Chief Security Officer is reporting relationships. While the logical argument might seem to have the CSO report to the CIO - because the CIO heads IT and he may argue that this position should be a direct report because ultimately all decisions affecting technology should rest in his hands - industry experts and practitioners believe that the CSO should report to the COO or CEO, because the CSO's core responsibility will be vulnerability assessment and risk management.

Judy B. Homer, president of JB Homer Associates, a search firm in the U.S., explains why, in her column in CSO magazine, the sister publication of CIO (U.S.): "The CSO will evaluate the technology environment and audit the security measures implemented by the CIO - it is thus in the company's and CIO's best interest to have the CSO perceived as an impartial assessor of the technology environment instead of a possible rubber stamp."

ABN AMRO's Lew agrees: "The measures put forth by the security organisation has to provide a security framework on how technology will be governed - and so it cannot be policing IT if it reports only to IT. The regulators discourage this as well."

Skillsets

Experts also acknowledge that in a time of widespread corporate layoffs and terrorist threats, the vulnerability of a company to potential security breaches has never been more real. So the days of hiring a semireformed hacker to head security are long gone, says Homer. "In order to understand and offer solutions for the security issues of the organisation, therefore, the CSO will need to have broad based experience with technologies such as public key infrastructure, enterprise user management, network and host intrusion detection, firewalls, single sign-on, biometrics and so on," she says. Preferably the CSO is professionally certified as well. Lew, for instance, staffs his team with security personnel who have certification such as CISSP (Certified Information Systems Security Professional) and CISA (Certified Information Systems Auditors).