TORONTO — They protect enterprises from worms, viruses and denial of service attacks, but the chief security officers for some of Canada’s largest organizations admit there may not be a need for their role within the next five years.
Organizations of the first InfoSecurity Canada conference Wednesday gathered executives from the Bank of Montreal, Telus Corp. and the Computer Emergency Response Team (CERT) to discuss the evolution of chief security officers, or CSOs (sometimes called chief information security officers, or CISOs). While they all agreed the nature of IT security threats is changing considerably, they also said technological innovation could radically alter the way risk is managed in the future.
“”You’re going to see security become embedded within the system architecture itself,”” said Jim Robbins, president of Electronic Warfare Associates of Canada, the Canadian version of CERT. “”You’re not going to be looking for patchwork solutions to deal with patchwork awareness.””
As awareness grows throughout the organization, security assessment and policy will be a shared responsibility among all enterprise employees, particularly at the line of business manager level. “”In five years we’ll see the death of chief information security officers,”” Robbins said.
If that’s true, they will have enjoyed a very brief reign. Security experts began advocating the need for CSOs not long after the terrorist attacks of Sept. 11, 2001 on the United States. While a few firms responded to the call, the concept of a CSO has raised a number of organizational questions. These include what kind of expertise a CSO needs, how they interact with IT departments and CIOs, and whom they report to.
At Telus, CSO Gene McLean said he is directly accountable to the incumbent’s chief legal counsel. “”It’s a good fit,”” he said, advising the audience to avoid putting the job under the CIO. “”You’ve got to have them reporting into different people. Otherwise it’s like the fox is in the hen house. And the first thing to go will be security.””
Robert Garigue, CISO at the Bank of Montreal, started his career as chief technology officer for the government of Manitoba. He said the CSO’s short-term responsibility is to diplomatically articulate the nature of risk in a way that doesn’t alienate business units that are focused on other goals, like sales or productivity.
“”You have to make the debate less technical and talk about privacy, regulatory compliance and show that security is there to catch you,”” he said. “”It’s a doctor’s role . . . you try to encourage a healthy lifestyle, but then sometimes it’s, ‘Go to the hospital.'””
McLean agreed, adding that soft skills are particularly important if CSOs are to be heard. “”You want to go from being the Grim Reaper to the point where they’re not scared when they see you.””
Robbins argued that most enterprises leave too many critical decisions about security polices up to the system administrators, even as awareness of the issues is increasing. Awareness, however, doesn’t mean that enterprise companies are willing to share best practices; Robbins said reporting of threats and security breaches has declined. “”I don’t think the real impact of Slammer has been reported,”” he said. “”Are the facts getting out there? I don’t think so.””
The CSO role is especially important today, Garigue said, as the use of Web-based technologies to communicate between business blurs the boundaries of an organization. This means security breaches can have a cascading effect that affects an enterprise both externally as well as internally.
“”It’s not just something that’s hurting productivity, but a real business impact,”” he said. “”You have a security problem, and the bandwidth might get squeezed. If the bandwidth gets squeezed, that can affect the services you’re offering customers.””
An audience member pointed out that while large banks and telcos may be vigilant about security, it can be difficult for mid-size organizations to convince board members to manage risk appropriately. Robbins suggested that budding CSOs (even if they don’t use that title) use different metrics than the traditional probability of a specific threat. One example is what he called the “”rookie ratio”” — how many people within the IT department have been employed with the company for more than a year, and would be capable of responding to a threat? Garigue suggested measuring how quickly a patch to a security breach can be replicated across a particular organization.
InfoSecurity Canada wraps up Thursday.