CSO 2.0: How to take your security program to the next level

Security is all about the big picture now. Here are some pointers from George Viegas on how the "CSO 2.0" can take a more effective approach to security in 2014 and the future

Information security is changing rapidly. At each new security conference it seems as though there are almost twice as many new tools and new vendors than at the previous edition. Security incidents are occurring more often and with increased financial or reputational impact.

[4 key elements for proactive application security]

At the same time, resources for security and IT remain nearly constant. How do we do more with less, how do we govern in a rapidly changing environment? How can we be more in-tune with the needs of the business and make security a driver of change rather than a box to check? To take a page from a popular ad campaign, here's a look at some key elements for CSO 2.0s to have in their wallet for success in 2014 and beyond.

CSO 1.0

  • Little to no understanding of what makes the business tick
  • Focused on securing the external network only
  • Remains within the information security domain
  • Metrics and reporting to the business is primarily technical and security based
  • Relies on anti-virus and security technology only
  • Adds new security tools because they are trendy and everyone is doing it

CSO 2.0

Business

  • Engages with and understands the business: Is in close touch with peer business leaders and has touch points and feedback loops across multiple levels of the business organization
  • Metrics that the business can understand risk based and tied to dollar amounts: Aligns security objectives with business goals, even trying to make security a driver for more business

Technical

  • Treats the external and internal network as hostile: With the proliferation of mobile devices and APT, the internal network must be treated as hostile as external; Add SSL for critical internal websites as you would on external sites
  • Proactive focus: Focus on proactive security measures such security training and continuous security scanning of production systems

IS Management

  • Risk and compliance based security approach to information security: Finds the right mix of security tools to address business risks and non-security tools such as legal agreements for risk mitigation
  • Holistic information governance approach: Works across the board with other data governance stakeholders such as privacy, compliance and legal to create a cross functional approach to data information and asset governance

What CSO 2.0 tips do you have in your wallet that you'd like to share? Please comment.

George Viegas, CISSP, CISA is Director of Information Security at a leading multinational information and media company based in Los Angeles.

Join the discussion
Be the first to comment on this article. Our Commenting Policies