Quelle: CIO Asia
September 11, 2001 was a wake-up call to businesses all over the world. Corporations, especially those in the U.S., whose operations came to a standstill after terrorists attacked the World Trade Center in New York, were made painfully aware of the urgent need to assess and upgrade the security protecting their information systems, and protect the privacy and physical security of their workplaces. As a result, many have established a new executive-level position, that of the Chief Security Officer (CSO), as a key step to achieving these goals.
The CSO in these organisations is the top security executive. His chief responsibility is to oversee a network of security directors and vendors who safeguard the company's assets, intellectual property and computer systems, and its employees' physical safety. He identifies protection goals and objectives consistent with the corporate strategic plan and manages the development and implementation of global security policy, standards, guidelines and procedures. He also maintains relationships with law enforcement and other government agencies and oversees the investigation of security breaches and associated disciplinary and legal matters. Finally, he works with outside consultants for independent security audits.
The trend of creating an executive-level position for the sole purpose of safeguarding corporate security does not seem to have permeated the Asian corporate landscape. The CSO remains an American phenomenon, says Reza Ghazali, a partner at international executive recruitment firm Korn/Ferry's Global Technology Market practice, which places senior-level IT and operations executives for ASEAN companies. "The CSO is still more a buzzword here. It is a position, title that is fairly new in this part of the world, though it may be more widely used in North America and Europe as a result of increased security awareness after Sept. 11, among big organisations with a huge repository of customer information."
Attempts by CIO Asia to find executives with the "CSO" title in mid-sized to large Asian enterprises, among them Singapore-based telco Starhub Pte Ltd and Thailand's largest mobile operator Advanced Info Service PLC, were unsuccessful. IT security and physical security functions at the companies we interviewed remain distinct: the de facto "CSO" is equivalent to the executive who oversees physical security at some organisations, while at others, he is the executive who deals solely with information technology, who has IT Security Manager or IT Manager as an equivalent title, and who commonly reports to the CIO.
Yap Chee Yuen, Group CIO of JTC Corp., Singapore's industrial landlord, associates the CSO title with a physical security responsibility. "The title CSO in some organisations refers to [the executive looking after] physical security; in these organisations the CSO [title] is created."
JTC Corp. does not have a CSO, he adds, but where IT security is concerned, the CIO holds responsibility. "We have an IT security organisation with an assistant director appointed as IT security manager to execute our security programmes through an IT security technical committee. This committee is in turn overseen by an IT security steering committee chaired by myself and my assistant CEO."
This is typically the structure that governs the IT security function, he adds. "Typically, the CIO, through his IT security manager, has the responsibility to establish the baseline IT security standards and policies for the organisation, enable the organisational set-up to execute them, and develop the programmes to promote awareness, education and training."
A check with other mid-sized to large Asian enterprises yields the same findings. At Thai Airways, the CIO, too, holds responsibility for IT security. VP of IT Services Bu-nga Kornvinai says it has not appointed a CSO to take care of IT-related security. "However we have established a security committee chaired by myself, to set security standards and procedures," she adds.
At the Urban Redevelopment Authority (URA), Singapore's land planning agency, IS head Peter Quek says it has not created a CSO position, and IT security comes under the CIO's responsibility. "We don't create the title. The more important consideration is to have a senior executive or committee to take on responsibility and accountability for the security role. At URA, we have a security working group chaired by myself assisted by my security administrator, that looks at security policy, protection, detection, audit and recovery, and a high level IT steering committee chaired by senior management. Security needs to be managed at a high level."
At Dutch banking giant ABN AMRO, the situation is the same: security is tightly connected to IT. Vincent Lew, regional head of Technology Risk Management, Asia Pacific, says his organisation forms part of the IT function at ABN AMRO, and he has a reporting line back to both the regional CIO and the global head of Strategy and Risk Management based in London. "In the Asia Pacific, I don't see [the security function] moving out [of IT] anytime soon, as so much of what we do in banking and financial services is about systems and data processing...so it makes more sense for security to be within the IT organisation for functional and operational purposes. The security function generally started from IT, and, having been around only in the last 15 years or so as a result of the Internet, it is a young industry compared to [the other IT disciplines]."
These views indicate that a "dedicated" CSO is not a specimen found in many Asian enterprises.
Reporting Structure
One of the more sensitive issues surrounding the new office of a Chief Security Officer is reporting relationships. While the logical argument might seem to have the CSO report to the CIO - because the CIO heads IT and he may argue that this position should be a direct report because ultimately all decisions affecting technology should rest in his hands - industry experts and practitioners believe that the CSO should report to the COO or CEO, because the CSO's core responsibility will be vulnerability assessment and risk management.
Judy B. Homer, president of JB Homer Associates, a search firm in the U.S., explains why, in her column in CSO magazine, the sister publication of CIO (U.S.): "The CSO will evaluate the technology environment and audit the security measures implemented by the CIO - it is thus in the company's and CIO's best interest to have the CSO perceived as an impartial assessor of the technology environment instead of a possible rubber stamp."
ABN AMRO's Lew agrees: "The measures put forth by the security organisation has to provide a security framework on how technology will be governed - and so it cannot be policing IT if it reports only to IT. The regulators discourage this as well."
Skillsets
Experts also acknowledge that in a time of widespread corporate layoffs and terrorist threats, the vulnerability of a company to potential security breaches has never been more real. So the days of hiring a semireformed hacker to head security are long gone, says Homer. "In order to understand and offer solutions for the security issues of the organisation, therefore, the CSO will need to have broad based experience with technologies such as public key infrastructure, enterprise user management, network and host intrusion detection, firewalls, single sign-on, biometrics and so on," she says. Preferably the CSO is professionally certified as well. Lew, for instance, staffs his team with security personnel who have certification such as CISSP (Certified Information Systems Security Professional) and CISA (Certified Information Systems Auditors).
What are the qualities required of a CSO? Homer describes the security executive's job: "This executive will develop and promote sound security practices and focus the employees on their individual and corporate responsibility to adopt those practices. Most important, he will not only have to understand the technology environment but will also need to partner with the business and technology leadership to design and implement solutions that align the security needs of the business with the technical capabilities of the IT staff."
The individual that can successfully rise to this challenge will have a diverse skill set.
"A CSO should have the lethal combination of these skills: He must have a solid understanding of information technology and information security - including firewalls, Virtual Private Networks, penetration testing and other security devices; have an understanding of his company's business; and be able to communicate security-related concepts to a broad range of technical and non-technical staff," says Ghazali.
Other skills include experience with business continuity planning, auditing and risk management, as well as contract and vendor negotiation. Expert communication, negotiation and leadership skills, and a background in law, law enforcement or intelligence are also a plus.
Business Partnership
In all cases, effective CSOs have to work with the executive team to accomplish business goals. They should consider exploiting executive partnerships to off-load some work of communicating with the company about security. Lew, for instance, says he leverages on strong management support and partnerships with other executives in PR and HR for security awareness, whether it is working with PR to print a poster or with HR and corporate trainers for educational programmes during staff orientation to teach staff and subsequent new hires that every one is required to participate in protecting the company's security. The CSO also needs to market his group's services across the enterprise to get the message out about what it can do for business units. "A CSO needs to be very proactive in terms of what the business needs. Believe it or not there is a PR element in security: we need to sell it occasionally," Lew adds.