In search of the CSO

Deep in the heart of the IT jungle a new breed of professional is emerging -- the chief security officer. These creatures are becoming more commonplace in the US, a few are known to inhabit Australia and sightings have even been claimed in this country.

Deep in the heart of the IT jungle a new breed of professional is emerging -- the chief security officer.

These creatures are, with the unwitting help of the terrorist fraternity, becoming more commonplace in the US, a few are known to inhabit Australia and sightings have even been claimed in this country.

However, a safari across Kiwi big business and government was not able to definitively spot one of these rare beasts. One apparently exists in the corporate thicket that is Telecom's ISP, Xtra, the company having recently advertised to fill a post, but this could not be confirmed.

More likely, their natural environments here are inhabited by IT security specialists, technical risk managers and those with similar titles, or their role is spread across an entire department.

“We are a paranoid breed,” says Mike Maclean, technical security manager of Vodafone, who performs a CSO-type role.

The CSO title comes about as IT security increases in importance and corporations split the function from the rest of IT. The role may also include other business or operational security functions, and policy issues such as privacy.

Their growth is exemplified by the appearance of CSO publications in the US and Australia, both part of the IDG stable, publishers of Computerworld.

Recently, the Australian retail chain Coles Myer appointed its first CSO and analysts expect 20% of Australia’s largest corporations will have one, rising to 60% within 18 months.

Sydney-based Meta Group senior consultant Michael Warrilow says CSOs establish target architectures and best practices for enterprise-wide security services.

Such people may well be former CIOs, particularly ones with a business background, and may have legal experience. They must also know government security and privacy legislation. Such people may report direct to a board, CEO, the finance or operating chiefs, or a CIO, Warrilow says.

The CSO will have a broader range of skills than a CIO, he says, as a “facilitator, sponsor and a champion, but they need to be technically savvy”.

Obviously, government departments, the banks, telcos or the largest corporates are most likely to employ CSOs at this stage, though incorporation within an IT executive's responsibilities or a split of the job is to be expected.

Telecom, for example, has six people in Wellington performing the role in its risk services group, says spokesman Andrew Bristol.

A spokesman for the Government Communications Security Bureau (GCSB) says private-sector companies and government departments would employ such people, though probably operating under another name.

TelstraClear says such a role is split between a networks group and an information systems group, which is led by a head of information systems.

Banks such as ASB, Westpac and the Bank of New Zealand say they don't have a CSO but would have people performing such roles either individually or across departments. Carter Holt Harvey had no such person, and their work was done by others, says CIO Jeremy Fleming.

Vendors such as Computer Associates and Symantec had not heard of any, with Symantec NZ head Richard Batchelar saying Kiwi businesses are still replacing corporate IT managers with CIOs.

For better or worse, there is some life in the title. Transpower in Wellington has just appointed a senior IT security specialist, Bernard O’Brien, who looks at the power company's security and similar companies overseas to ensure it meets best practices and international standards. He says his role includes looking at security policy, recognising risk and participating in industry forums. For Transpower, security also means security of supply, as well as that of IT.

O'Brien has spent nine years at Transpower. He is a former computer network operator with UK banking security experience.

Fonterra's NZ Milk consumer products division employs someone in a CSO-type role -- Barry Norris, global manager IS operations and mergers and acquisitions. He says he is responsible for operational security, but says information security policy resides with someone else.

Closer still, Vodafone technical security manager Mike Maclean says he performs the same role as a CSO. He is "responsible to the executive for looking at security policy, controlling how we spend money to meet the objectives", he says.

"As a dedicated role, the CSO has just appeared in the past year or two," Maclean says. "It's pretty American. Maybe in Australia they exist at American-owned companies. Basically a lot of us migrated from one role to another."

If you're interested in becoming a CSO, the GCSB spokesman recommends a read Tangled Web: Tales of Digital Crime from the Shadows of Cyberspace from cybersecurity specialist Richard Power.

Greenwood is Computerworld's human resources reporter. Send letters for publication to Computerworld Letters.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags careersOn The Job

More about Andrew Corporation (Australia)Bank of New ZealandCA TechnologiesColes GroupCSOIDGMeta GroupSymantecTelstraClearVodafoneWestpacWestpacXtra

Show Comments