The New CSO: Cyber Security Officer
Pat Clawson - August 24th, 2011
It was fellow blogger Paul Henry’s number one prediction for this year. And while I applaud Paul’s spot-on prediction, I’m not happy to admit he was right. Cyber attacks are no longer coming from smalltime pranksters. Today’s attacks are too extensive and intelligent to come from a source of this type. Rather, they are coming from entities that have extensive resources and significant funding – i.e. state governments. This was the source implicated in McAfee’s report on “Operation Shady RAT.” And while Shady RAT, like Stuxnet, has yet to be absolutely linked to a government source, it’s evident that more measures need to be taken into account in order to fight attacks of this caliber.
Earlier this month the Obama administration released the first-ever roadmap for a “coordinated national initiative focused on cybersecurity awareness, education, training, and professional development.” Increasing awareness of cyber security issues and educating technology users is a critical first step and one that Lumension I have written about here and we have additional plans on this topic coming out next month.
Also included in this initiative is the equally important goal of building a U.S. cyber security workforce. This is also an important step in investing in our nation’s future. As the roadmap indicates, there is currently no definition of what it means to be a cyber security professional and so the draft strategic plan includes specific instructions for the federal government on how to “maintain an unrivaled, globally competitive cyber security workforce.”
For example, by 2012, agencies must adopt cyber security competency models. By 2015, the government will produce an estimate of the health of the national cyber security workforce. By then, federal contractors also will be required to comply with standard cyber workforce descriptions to win government business. And, the government expects to see a 20 percent increase in qualified cyber security professionals nationwide. Developing cyber pro qualifications is another part of the strategy and by 2013 officials will have created a baseline for the skills required of all cyber security professionals.
This brings up an interesting question – won’t we need these cyber security roles in place well before the projected 2013 date? Given the history of how slow-to-act the government has been around cyber security, I believe it is our responsibility as part of the larger security industry to push things forward as everyone looks for ways to tackle the cyber security issue and stay ahead of attacks.
In fact, some organizations are already creating an entirely new position focused solely on this effort. And I don’t mean CSOs, CIOs, CISOs or the usual titles. Rather, this position is dubbed “cyber security officer.”
Since there is no current definition of cyber security officer (as validated by the recent roadmap), it’s helpful to look at what it isn’t. According to the 2010 State of the CIO survey by CIO Magazine, it is a CIO’s job to focus on aligning IT initiatives with business goals (64%), improving IT operations and systems performance (51%) and cultivating IT/business partnerships (48%). While more focused on security specifically, a CISO still must still divide time between both physical security (think infrastructure and technology implementations) and cyber. Different from both of these, a cyber security officer is focused entirely on cyber security. A number of organizations have felt the need to rethink security priorities and distinguish these roles as cyber crime becomes more rampant.
One such organization is Huawei, who announced the hiring of a “global cyber security officer” earlier this month. For Huawei, the purpose of this role is to “monitor and improve all aspects of information security across Huawei’s global supply chain.” It also includes overseeing “delivery of telecommunications networks based on the security requirements of… customers and the jurisdictions in which they operate.”
While Huawei has created a new role, others are taking a different approach–tacking on the added responsibilities of a “cyber security officer” to the already appointed CSO or CISO. This puts the CSO in a unique position in that he will oversee security on a much larger scale tying in cyber security on a global level and taking on the more recent barrage of APT’s. Because APT’s are generally linked to foreign nation governments, I’ve seen more and more companies adapting to this and will touch on this in my next blog post when I return from the Pacific Rim. Companies like Amtrak, North American Electric Reliability Corporation and Deloitte and Touche because of their foreign vendor ties, have further validated this, by introducing cyber security efforts into their respective information officer titles.
Any organization can benefit from implementing a cyber security role (in any capacity) now and can hold direct competitive advantages. By implementing a cyber security role, organizations can catch breaches faster—saving time, money and reputation. Hiring a cyber security officer can seem daunting, primarily because of budget issues, but it isn’t something to be overlooked especially in light of the new U.S. roadmap for building a cyber security workforce, which is a good indication of where the market is heading. Employing a cyber security officer can ultimately save your organization an average of $6 million per year, which is the average cost of a cybercrime.
Whichever route companies are taking, the evolution to incorporate more cyber security measures under the new CSO umbrella is something we are watching closely as organizations we partner with continue to try to stay one step ahead of the bad guys. And while dedicating a key, point-of-contact person for a well-defined “Cyber Security Officer” role will always trump an ‘ad-hoc’ position—at this point, anything is better than nothing. So my question is…do you see cyber security taking on a role of its own outside of your company’s ongoing security practices?