Protecting data - the changing role of the CSO

Protecting data - the changing role of the CSO
Protecting data - the changing role of the CSO

In recent years I've noticed a definite shift in roles in the enterprise workplace. Nowhere is this more evident than in the role of the Chief Security Officer, or CSO. Traditionally, the position of the CSO encompassed security of personnel, physical assets and information. However this position has evolved and hugely increased in importance as risks to device security increase, bring your own device (BYOD) policies expand, and sensitive company information becomes more open to security breaches.

Put simply, mobile phones were safer 10 years ago. Back then they were simply voice, text and email. There were no apps to install – that ecosystem simply didn't exist. As the operating system (OS) functionality of the device has integrated social and search platforms, it has also created risks to data, applications resources and identity. 

These risks not only affect the CSO - in the technology-centred enterprise, workflows have evolved and are now based on a need to share and collaborate, virtually in real time. Employees simply cannot wait for IT teams to implement the new tools that they need for a given day or task. They will go and find their own. The CSO must therefore implement strong policies regarding unauthorised and potentially dangerous tools, such as Dropbox, in which intellectual property (IP) is often deposited by employees with little concern for security.

Evolving with the IT department

But it's not just the Chief Security Officer that is undergoing a shift. The IT department is also the target of structural challenging, and the CEO is now constantly pushing the CIO for more security innovation. Mobile, social, search and cloud have converged to create new business models – and these resources often bring with them practical security concerns.

For example, protecting data on any mobile device is a constant challenge for IT departments which CSOs must face head on. Not only do they have to ensure the device is suitably protected from malware breaches, it is often the users themselves who pose the most risk to data security through device loss or theft – this makes the problem, despite being considered a solely IT issue, actually a shared issue amongst IT, the CSO and even HR.

Splitting security hairs

In fact, in some enterprises IT and device security is so important that the function of the CSO has been split – a CSO remains to oversee company security, while a new role is created – the Chief Information Security Officer – to oversee security in its digital form.

This CISO role in particular is most prevalent in firms whose data and business practices require compliance based on government policies. As big data/content, analytics and Business Intelligence (BI) continue converging, the CISO role becomes a critical path in protecting the firm's IP – its data and identity of employees, customers, prospects, partners, and suppliers across its ecosystem. The role will increasingly encompass devising a security strategy across the firm's connected estate behind its firewall and authorised cloud computing environments.

However, in my opinion best practice is merging physical and digital security under one organisation umbrella. Preventing unauthorised physical access and securing identity, data (at-rest and in-transit), and access require a holistic policy strategy for consistent implementation across the firm's connected estate.

The CSO of the future

The increasing importance of the CSO can not be emphasised enough, and the role itself is evolving quickly as a key strategic position. Companies are become savvier to these risks, which is in turn informing the evolution of the CSO's position.

Technology, security and control skills are of course still required but so too are skills to guide business leaders in achieving their strategies with mobile, apps, BI and new models to work to monetise firm value.

New risks to data, applications resources and identity are borne from the prevalence of sophisticated devices and new business models. In order to protect the enterprise strong policies regarding unauthorised tools like Dropbox, which have the potential to compromise security, must be implemented.

Security is a far-reaching issue in the enterprise – it now affects everyone from the C-suite to HR, and a holistic view between the digital and physical is paramount. A savvy CSO with strong leadership qualities and awareness of security risks can be the bridge between these two worlds in the enterprise.

Contributed by Troy Fulton, Director – Product Marketing, Tangoe