What Is a CSO?

Occasionally we are taken to task by one security leader or another. They tell us that CSO's editors, principally meaning me, I suppose, 'still don't get it,' by which they mean we don't understand what security is all about or what a CSO really does.

Usually the crux of the argument is that we're too focused on information security, or on corporate security, or on the convergence of the two fields—depending on the primary responsibilities of whichever critic is speaking.

OK, I'll pick up that gauntlet. Here's what I think a CSO is, what this magazine is about and where security is headed.

First let's talk about the actual job title "CSO." For clarity's sake, I use the title to mean a departmental leader responsible for both information security and corporate security. (Corporate security encompasses not only physical security issues but potentially also intellectual property protection, fraud prevention, loss prevention and lots of other stuff depending on the company in question. Referring to this whole field as "physical security" is a gross oversimplification.)

I recognize that there are many smart folks in the real world with the official CSO title who don't shoulder the burden for both areas. However, if the CEO has a question about finance—any question—then he expects the "Chief Financial Officer" to be able to answer, or find the answer quickly. When the "Chief Security Officer" answers security questions with "Oh, that's not my problem; that's those other guys over there," the message to the CEO is that there's really no "chief" who can give him the big picture on the company's operational risk. Ultimately, I think the title is going to gravitate toward those who own all of security.

Now semantic arguments like this one are unfortunately dangerous and often unproductive. This discussion of titles is not to diminish the value of the head of infosec or the head of corporate security. On the contrary, CSO magazine and our website are founded on the concept that both areas are of critical importance. We write about both in great detail and proudly count both groups among our readers. So whether you agree or disagree with my semantic argument about titles, you're going to find articles in CSO that help you do your job.

Consider the features in this issue. Senior Editor Sarah D. Scalet looks at the security ramifications of search engines, most of all Google. Scalet also offers a condensed spin through products and technologies for securing portable devices, from laptops down to BlackBerrys. And Senior Editor Scott Berinato examines security governance with a case study of T-Mobile's wholesale revamp of risk management, prompted largely by embarrassing network hacks.

Great, practical stuff. And sneaky too: Each of these articles directly addresses issues of concern whether you're charged with prevention of hacks, physical theft or fraud perpetrated by your competition. At the threat level, and the technology level, and the governance level, security is getting all meshed together. In the past we've called it convergence. That's another term that illustrates the dangers of semantics; some people dismiss it as a buzzword. It's their loss if they miss the power of the underlying concept. I'm not hung up on the term convergence or how you achieve it on your organizational chart. The point is to do security more effectively and more efficiently by connecting all the allies in a net tightened by communication, cooperation, process and accountability. It's the direction in which security leadership is headed, and all constituent parts of the field benefit.