What are the qualities required of a CSO? Homer describes the security executive's job: "This executive will develop and promote sound security practices and focus the employees on their individual and corporate responsibility to adopt those practices. Most important, he will not only have to understand the technology environment but will also need to partner with the business and technology leadership to design and implement solutions that align the security needs of the business with the technical capabilities of the IT staff."

The individual that can successfully rise to this challenge will have a diverse skill set.

"A CSO should have the lethal combination of these skills: He must have a solid understanding of information technology and information security - including firewalls, Virtual Private Networks, penetration testing and other security devices; have an understanding of his company's business; and be able to communicate security-related concepts to a broad range of technical and non-technical staff," says Ghazali.

Other skills include experience with business continuity planning, auditing and risk management, as well as contract and vendor negotiation. Expert communication, negotiation and leadership skills, and a background in law, law enforcement or intelligence are also a plus.

Business Partnership

In all cases, effective CSOs have to work with the executive team to accomplish business goals. They should consider exploiting executive partnerships to off-load some work of communicating with the company about security. Lew, for instance, says he leverages on strong management support and partnerships with other executives in PR and HR for security awareness, whether it is working with PR to print a poster or with HR and corporate trainers for educational programmes during staff orientation to teach staff and subsequent new hires that every one is required to participate in protecting the company's security. The CSO also needs to market his group's services across the enterprise to get the message out about what it can do for business units. "A CSO needs to be very proactive in terms of what the business needs. Believe it or not there is a PR element in security: we need to sell it occasionally," Lew adds.