How you measure a CSO

1 2 3 Page 3
Page 3 of 3

Public-key infrastructure (PKI) A system for securely exchanging information. It includes a method for publishing the public keys used in public-key cryptography and for keeping track of keys that are no longer valid.

Radio Frequency Identification (RFID) A wireless system for transmitting basic data, which consists of an antenna and receiver on one end and a transponder (or tag) on the other end. A common example of an RFID can be found in fast lanes at toll booths. RFIDs are an alternative to bar codes or other identifiers that require line of site or some kind of contact to transmit data. They are also gaining prominence because they are inexpensive to produce and easy to adapt. They can be put into tires or woven into clothes, for example. However, many privacy advocates are concerned about widespread use and the abuse of this technology, which could easily collect data without one knowing it's happening.

Return on security investment (ROSI) A way of reassuring the enterprise that its security investments aren't bottomless or valueless. The point of maximum ROSI is where the total cost of security is lowestfactoring in both the cost of security breaches and the cost of the controls designed to prevent them.

Risk What keeps you up at night. A level of threat rationally understood in the context of your vulnerability to it. How much of it your enterprise will tolerate depends on what it has to gain or lose as a result.

Risk assessment The process by which risks are identified and their impact determined.

SANS Institute A research organization that offers alerts, training and certification; operates Incidents.org and the Internet Storm Center.

Secure electronic transaction (SET) A protocol developed to provide for secure end-to-end online credit card transactions. All parties (customers, merchants and banks) are authenticated using digital signatures; and encryption protects the message and provides integrity.

Secure sockets layer (SSL) A protocol that enables encrypted communications to pass between a server and a client on TCP/IP networks, such as the Internet. An SSL-enabled server authenticates itself to an SSL-enabled client, and the client authenticates itself to the server, allowing both machines to establish an encrypted connection.

Security policy A set of rules and practices that guides a system or organization in providing security services.

Sniffer A tool that monitors network traffic as it is received in a network interface.

Tailgating The act of entering a building as someone else with access credentials holds the door open. Tailgating is one of the most common techniques criminals use to gain illegal entry into facilities.

Virtual private network (VPN) An outsourced remote Internet access system. VPNs allow remote users to connect securely to an ISP or a private IP network via an encrypted tunnel cordoned off from the public portions of the Internet. A VPN is generally less expensive for a company than building and operating its own dedicated network.

Virus A hidden, self-replicating piece of computer software, usually malicious logic that propagates by infecting (for example, inserting a copy of itself into) another program. A virus cannot run by itself; it requires the operation of its host program.

Wireless application protocol (WAP) A specification for a set of communications protocols to standardize the way that wireless devices, such as cell phones and radio transceivers, can be used for Internet accessincluding e-mail, the World Wide Web, newsgroups and instant messaging.

Sources: CSO reporting; SANS Institute; ASIS

Chief security officer (CSO)

The highest-ranking security person in a company. Responsibilities can cover both corporate and information security, including policy and execution across such varied areas as risk assessment, physical security, background checks, data privacy and intellectual property protection.

Copyright © 2003 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3
The 10 most powerful cybersecurity companies