Security 2.0. That may not be an official moniker for the state of security, but with Web 2.0 and Cloud 2, perhaps it should be. Indeed, the role of the chief security officer has evolved -- and expanded -- in the past 10 years. Even in the past year, policy, process and technology look different.
A security professional needs to embrace the change from controlling what devices employees use, how the devices connect to the corporate network, and what applications are allowed. That leads to a new approach that most organizations are moving toward to provide the capability for employees to connect to the corporate data from anywhere and any device.
For example, technology allows employees to easily connect their work and home lives through social media, blurring the line between personal and work. Another shift that a CSO must embrace is the move away from implementing controls to protect data, to developing ways to trust cloud vendors as data moves out of their control.
Are CSOs Losing Control?
"Many CSOs are struggling with the increased use of personal devices like iPad, iPhones, Droids, etc. Some still believe that they can control what the users can and cannot use in their corporate environments," said Randy Barr, CSO at Qualys. "Unfortunately, they have not realized that they are slowly losing the ability to control what their employees can and cannot use. Users today have more knowledge about supporting their devices compared to users 10 years ago."
Access to the Internet through employees' personal devices is much faster. Organizations that block tools like instant-messaging services and sites like Facebook and Twitter are finding these are now easily accessible through personal devices like iPhones, iPads and Android-powered devices, Barr noted.
Tools available as a service are also more accessible to employees than in the past. Barr said some of these services are difficult for security professionals to monitor using traditional security technology. However, he added, technology today is addressing some of the gaps with solutions like desktop Virtualization for personal devices, online services implementing security features, and security as a service.
"As CSOs revisit policy, process and technology to adapt to the changing landscape, we should also focus more time and effort on people," Barr said. "As CSOs take advantage of solutions that are being offered as features with some of these online services and provide security solutions that can be installed on the employees' devices, they will need to promote awareness on the use of those tools and the threats that are out there. Most importantly, corporations will need to make sure that employees understand that they have more security responsibilities."
On the Way To Security 3.0
Chris Silva, senior vice president for the Institute for Applied Network Security, sees plenty of changes for Security 2.0. He pointed out that information security organizations are on a path from Security 1.0 to Security 2.0. In Security 1.0, information security is viewed as a cost center or service bureau. By contrast, in Security 2.0, the security function transitions from cost center to a more proactive organization dribbling improvements to the bottom line and strategic differentiation to the business.
As he sees it, this drives the CSO in several ways, including shifting from focusing on securing existing systems to business decisions in process, ensuring security is taken into account in early planning stages, and discussing security's role in terms of risk and business exposure. The CSO also needs to build a different kind of team, one that can design frameworks, architectures and policies for the business.
"The endgame of the CSO is to market security internally and often externally such that it becomes a core business value," Silva said. "Once established as such, the organization begins mapping out a security and risk assessment as the first phase of every project, technical and otherwise. This fully mature stage is Security 3.0 and is a future state for most companies."
Security Must Allow Business
Ray Dickenson, CTO of SafeCentral, has a unique business perspective on the growing role of CSOs. He said security is an obstacle rather than an enabler. If one e-commerce web site requires you to change your password every three months and another does not, which one will get more of your business? Probably the one with the password you remember -- not the one with the password-changing policy set by a diligent CSO.
"It is not sufficient for today's CSO to be an excellent protector of corporate data and resources. The CSO must have a strong sense of business enablement, and differentiate his company by developing security practices and associated company culture in a way that optimizes the company's ability to do business," Dickenson said.
If the CEO, CMO, vice president of sales, and other senior business executives feel confident that the CSO understands the paramount importance of business moving forward, they will be more likely to accept the inevitable constraints that the CSO must apply in specific areas of risk exposure, Dickenson said. Otherwise, the CSO who builds a bastion of security will be replaced, worked around, or see the company fail.
"There is no simple formula for balancing business and security requirements, which is why a good CSO is a very valuable asset, and an overly strict or shortsighted security executive is a liability," Dickenson said. "The best CSO will not hide behind strict security policies at the expense of customer satisfaction or business agility. Rather, the CSO will encourage his or her team to constantly look for ways to let business move forward 'at the speed of need' while accommodating security and compliance requirements."