CSOs becoming CIOs……A Natural Progression?

CSOs becoming CIOs……A Natural Progression?
by Drazen Drazic

Welcome Drazen Drazic, our newest guest blogger. Drazen’s posts will be a feature of our Wednesday coverage of the data security world. Drazen is the CEO of Securus Global. He is a strategic consultant, working across several industries on matters to do with Information Security strategy. Drazen is also a blogger. Heis the chief writer on the IT Security Management site, Beast or Buddha, where this post first appeared.

This is something I have talked about before.

Having been in roles in previous lives that has seen me oversee IT as a whole and IT Security (separate roles), I am of a firm belief that a good CSO has what it takes to be a good CIO, if not a better CIO than most out there. I went from the former to the latter (IT head to CSO) but I believe it can work effectively the other way. It’s not a regular thing though and I haven’t to be honest, seen it happen from memory in recent times – ie; a CSO becoming the CIO.

It’s horses for courses and case by case but more and more, I am seeing competent CSOs out there that have a better picture about IT within their business than the CIO does. Now this will upset some CIOs, but as you know, I don’t mind upsetting those that I think are not up to it. (A recent example here and here). And there’s a heap of CIOs out there, that really are not up to it. Can’t recall figures I have posted before but I’ll throw 80%+ out there as a starter now.

I’ve been working with the CSO of a relatively large business and good global brand in recent times. He’s been on board with his organisation for just over 12 months but in that time, has made some amazing inroads in regards to how this organisation views and works in regards to IT security and risk management overall. But, he’s now hit that time that body builders call the “plateau”, and every little “gain” now takes a mountain of effort – far more effort than gains took in his first 6 months at the organisation. He’s almost ready to move to “greener pastures.”

In his case (unlike many others we see a lot of the time), it’s not that the CIO is being a roadblock intentionally. He’s just maxed out the CIO’s headspace and CIO is struggling to understand what it is that CSO wants to do and why. Fair enough you may say….CSO should be “selling” it better, but at what stage should you cut the “sell” and ask why the CIO as the senior IT person in the organisation just does not get it? You can “sell” it till the cows come home but if someone just doesn’t get it [CIO], when in their role they should, what do you do?

His last resort is a presentation to the CIO (and board) by me. Do I know more than this CSO about his organisation? No, of course not. But external consultants are listened to (for good and bad…it is how it is and we all know that), and maybe having an external party being able to present a broader view of what “others” out there in business are doing, can kick start more gains by the CSO in his organisation. Time will tell but I digress from the topic.

In my view, having spent a good deal of time in this organisation and getting to know the organisation, key stakeholders, their business strategy etc etc, it’s clear to me that CSO has a far stronger knowledge of all of this vs. the CIO.

It’s not because this person [the CSO] is just good at what he does. He is, but a good CSO should know their organisation back to front to be able to be a good CSO and develop a good IT security and risk management program and strategy.

Combined with good business knowledge, you have someone [the CSO] who has that holistic enterprise view – better than most CIOs. What else do they need? Serious question. (See previous links on CIO failures above and ask this question again).

Tags: Beast or Buddha, CIO, CSO

This entry was posted on Wednesday, July 15th, 2009 at 8:26 AM and is filed under Community Manager, Guest Bloggers, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Comments

Rob says:

July 16, 2009 at 7:09 AM

We have watched the evolution of titles and responsibilities across the enterprise the last dozen years. I’m wondering if anyone thinks this is a tech issue or an issue of top-down malpractice, for lack of a better word. As enterprise continues to morph into new forms, such as the cloud, will responsibilities and the titles attached to them seek new levels or will the confusion, which seems to becoming from the top, become even more entrenched?
Like or Dislike: 0 0

Leave a Reply

	Name (required)

	Mail (will not be published) (required)

	Website

Related Tweets

Syndicated Content


	Things We Check Here is our cool new TV ad on Things We Check. The spot talks about the everyday things we all 'check' including the VeriSign check when we are online to stay safe. Check it out:... Impact of Design On Trust We attended RSA 2010 this week where VeriSign was a Platinum Sponsor. Executive Chairman, Jim Bidzos, gave a Keynote Address on the 'Internet and Trust' explaining that without trust, people are less likely to freely share information or transact online.... Launch of VeriSign Trust Seal With the launch of the VeriSign TrustTM Seal last week, we introduced a new section to the Website dedicated to the Trust Seal. The Seal enables Websites to communicate that they are a trusted site to do business with and...



	PayPal UK Launch Security Key - Guest Posting from PayPal I am happy to say they are using VeriSign Identity Protection to deliver this, which means that PayPal Customers will be able to use their token at other sites who join the VIP network. PayPal are the first UK members of the network, but there are around 30 other members in different countries around the world so you can expect to see more places where you can use your token in the UK appearing shortly. Facebook scam - Part 2 This just in from the BBC web site, Symantec have identified a virus that steals user names and passwords, nothing new there. But, if I understand this right, it is delivered through a Facebook invitation from someone you don't know and delivers malware which can then steal user names / passwords and also keylog credit card info. Survey finds passwords are not secure - well d'uh! I don't think the vendor community has been crying wolf about the problems that stronger authentication solves, more like highlighting that this problem is here and growing. Well the discussion I have had recently with many different organisations across many different industries are now resulting in more and more consumer projects in this area



	Open Identity Exchange: enabling all the VISAs of identity The Open Identity Exchange was launched this morning at the RSA conference in San Francisco. It is a significant step for federated identity as it will enable US government web sites such as the NIH to embrace open identity standards... Rethinking Internet Trust and Reputation Today, we are launching the VeriSign Trust Seal, a new service for small and medium businesses with an online presence. It is a big day for everyone at VeriSign who has been working really hard on the new service the... Google Hacked or Why the Cyber World Could Get M.A.D** As the world already knows, Google and a few other prominent US companies got severely hacked around Christmas time last year. Sophos has an interesting analysis of the exploit. Web malware and a zero day vulnerability in IE6 were...