Analysis: The CSO - PR stunt, scapegoat or good idea?
Security is on the top of everyone's agenda at the moment, but is the appointment of a chief security officer the best way to tackle the issue?
There have been a spate of high-profile cyber attacks on large organisations in recent months and you could argue that there has never been a worse time to be a chief security officer (CSO).
Or perhaps that's the wrong way to look at it. These attacks, from hacking groups such as Anonymous, splinter faction Lulzsec and other less public hackers, targeting major private organisations, and public bodies such as the CIA and the UK's Serious and Organised Crime Agency (SOCA), have pushed security to the top of the international agenda.
So since their domain is seen as more important than ever, perhaps there's never been a better time to be a CSO?
Given that security chiefs are currently being asked to do more with less, many CSOs will scoff at that statement, but there's no doubt that security is on the top of several agendas, not least the IT manager's.
The government was due to launch its new cyber security strategy last week. Although it has delayed the launch, to "dot the i's and cross the t's" as it put it, cyber security remains a tier one issue.
Also last week, security awareness topped a poll by BCS as the most important attribute of the IT professional of the future.
And there have been several high-profile breaches recently, again pushing security into the spotlight.
Analysis: The CSO - PR stunt, scapegoat or good idea?
Security is on the top of everyone's agenda at the moment, but is the appointment of a chief security officer the best way to tackle the issue?
Both Sony and RSA failed to protect their information this year when they suffered hugely embarrassing, and hugely expensive, hacks. Sony has put the cost of its breach, which occurred from April to June this year and involved the leakage of over 100 million customer details (including sensitive financial data) at around £107m.
You could argue that the damage to its brand's reputation is going to be even more costly in the long term.
According to Reuters, shares in Sony have fallen 55 per cent since the company first revealed it had been the victim of a hack. This month, Sony appointed a new chief information security officer, Philip Reitinger, four months after the breaches.
RSA's breach in March required the company to replace 40 million tokens worldwide following fears that the seed files had been captured by criminals, enabling them to crack the secure tokens used by its customers. The company also admitted that the breach had cost it £40m so far.
In June this year, it appointed Eddie Schwartz as its first CSO.
But with security and the role of the CSO under increasing scrutiny, it is worth asking whether these appointments are the best way of addressing difficult security issues, or are they simply a quick way for boards to show that they've done something? Have Schwartz and Reitinger been appointed to soak up the blame for the next wave of cyber attacks? Or does this represent sound, if tardy, judgment?
Andy Kellett, senior research analyst at Ovum, says he is surprised that these companies didn't already have CSOs.
"I'm surprised that those companies didn't already have someone in place in that role. For such large organisations you'd naturally expect them to have someone in this position."
Graham Titterington, principal analyst at Ovum, says that the role is necessary, and more than a simple PR exercise.
"If the company is big enough then it's proper to have a CSO and not just wrap it up into the CIO role. The concept of the role is sound, I wouldn't dismiss it as a political gimmick."
Schwartz, RSA's new CSO, told Computing that he took the role with his eyes open.
"When you take on a role like this you take on all the associated responsibilities. RSA aren't looking for a scapegoat, they're looking for someone to help them put together a successful security programme."
Schwartz recognises that his appointment doesn't means RSA can never be hacked again, but he hopes that his work will make the firm more alive to future threats.
"Ten years ago someone said how do I pay you as a CSO? I said I'm not going to commit to fewer than 10 virus outbreaks per year, but an interesting metric is are we getting better at reducing the time it takes us to be able to see these advanced attacks?"
He explains that many companies don't notice an attack until months later, when the attackers may have already got the data they wanted and left.
"For a long time these advanced attacks were able to continue without being noticed.
"We need to shorten the window of opportunity for hackers, and measure our ability to limit the damage. Then we're bringing the fight to the adversary."