Comment: A logical shortfall for the ‘complete CSO’

Johnson says that although a large number of CSOs will have solid experience with managing physical security of the business, few will have the specialist logical security training to deliver an effective overarching strategy
Johnson says that although a large number of CSOs will have solid experience with managing physical security of the business, few will have the specialist logical security training to deliver an effective overarching strategy
Paul Johnson, Meridian
Paul Johnson, Meridian

Large businesses commonly separate the roles of CSO and CISO, relating to the stewardship of physical and logical security, respectively. However, in many small to medium-sized enterprises, one individual often takes responsibility for both of these key functions, be they titled CSO, CISO or even, mistakenly, CIO.

This seems like a marriage made in heaven. After all, established and entry-level professionals, particularly at security vendors, are commonly trained and aware of the key dangers, technical intricacies and legislative pressures surrounding both logical and physical security.

Furthermore, the links between these two categories are unquestionably clear, taking into account the growing trend for sophisticated social engineering to facilitate computer crime, and the hike in legislation that bands these two areas together. Yet, while the rationale for appointing one individual as a ‘complete CSO’ appears sound, the legacy of a trend that emerged around three or four years ago continues to expose businesses to potential breaches.

Information security has always been a key issue for industry insiders, but when it came to prominence with the rise of e-commerce, social networking and notable reductions in the price of computing infrastructure equipment, businesses recognized the need for a senior figure to take the lead on logical security. Up stepped the CSO. They had the trust of the CEO or managing director, some limited logical security experience, and their appointment did not require a costly new hire.

However, this is not the miracle solution that it might at first appear to be. Senior management teams often see the word ‘security’ and presume that the threats and the skills will be similar. Although a large number of CSOs will have good, solid experience with managing security of the business, particularly on the physical side, few will have the specialist logical security training to deliver an effective overarching strategy.

It is a real leap to move from an area where threats are visible and physical barriers can be put in place, to one where intruders are hidden behind a network or an unseen interface.

Of course, anybody can buy a network security product off the shelf. Good CISOs, however, will come into their own when it comes to customizing the default configuration so that it works optimally for a specific business. This level of in-depth technical knowledge can be the most significant barrier to success – and, in many cases, the greatest threat to a business’s security.

For example, many CISOs must fulfill a range of obligations set out in payment scheme guidelines such as PCI DSS and ISO27001, most of which take a hard line on the actions that businesses must take to comply. However, in the absence of a common standard to govern all business activities, there are a wide range of conflicts and discrepancies, and there is no one definitive set of requirements.

It is difficult to take these standards together and get the ‘right’ answer at the best of times, and when an individual does not have the technical knowledge to make the best call, the task can be well near impossible. An IT manager will, of course, have a view on the best way forward, but it is the CISO’s responsibility to digest this advice and align this with the business strategy.

A lack of understanding can reach beyond compliance and bring up real difficulties both for internal IT teams and external consultants. Recommending a new firewall, for example, can seem an unnecessary expense for a senior manager who cannot understand why the existing product cannot be upgraded.

For IT managers, working with a CSO without the right level of logical security knowledge can be a constant battle in terms of day-to-day expenses. Moreover, even where such a CSO might be persuaded that a purchase is a good idea, he or she might then struggle to gain buy-in at board level when directors pose the difficult questions.

If it is unfeasible to appoint a knowledgeable network security professional to take responsibility for the logical security strategy, then it is vital that CSOs undertake the training that will set them in good stead to make and approve effective and reasoned decisions. Industry-recognized qualifications, such as the Certified Information Security Manager (CISM) or Certified Information Systems Auditor (CISA) programs, enable holders to manage and audit their own systems, while a qualification such as the Certified Information Systems Security Professional (CISSP) will provide a good understanding of the technology itself.

Similarly, of course, a manager with an extensive knowledge of logical security would be expected to undergo training in physical security – it is a matter of fully understanding the threats they are managing, be they an intruder on-site or one looking to access the business’s confidential data from a computer.

Businesses, then, must make the investment in training CSOs to ensure the security of their organization and its data. The existing individual may have a deep knowledge of the company and its particular physical security issues, but ‘inheriting’ the logical security role can present a challenge for which he or she is not prepared.

For many businesses, the threat to their networks is now far greater than the threat to their premises, and this must be taken seriously at the board level, with the guidance of an informed and skilled CSO.


Paul Johnson is a currently a director at UK-based Meridian, an NCC Group company. Johnson has worked in the technology industry for over fifteen years in senior management positions for Mondex and Multos certification authorities (MasterCard companies), and Keycorp Systems. He is a qualified electrical engineer with a degree in business management.

In 2001 Johnson established Meridian and undertook the role of managing director, developing the business to become a global audit and compliance company. He joined NCC Group as operational director upon its acquisition of Meridian, and is now responsible for the global delivery of the Meridian portfolio of audit and compliance services for NGC Group.

What’s hot on Infosecurity Magazine?