Security officers must look beyond IT

Chief security officers (CSOs) need to look beyond the IT side of their jobs and concentrate on the bigger business picture.

A panel of industry CSOs at the RSA Conference in San Francisco agreed that companies are no longer looking for pure IT specialists to fill the CSO role, but are valuing those with real-world business experience.

"Working on my MBA was critical," said Lisa Johnson, global information security manager at Nike. "When I went to speak to the business team I could talk in their language. You need to make sure you understand what's important to your business, not just your IT systems."

This move away from a technical focus also affects how CSOs should protect employees. The rise in social engineering attacks mean that CSOs need to educate computer users about safe computing rather than just relying on technical systems.

"Technology is still very important, but the people and processes have become more important," said Dennis Devlin, CSO at the Thomson Corporation. "Look at social engineering: we must spend more of our time not being doers but being educators."

Software companies also need to concentrate on informing customers rather than simply trying to fix software. The majority of the panel agreed that the major software houses should be more open about flaws in their code and work with the industry to find solutions.

"I would rather know than not know [about flaws]," explained Devlin. "We subscribe to intelligence services and need to know this information as fast as possible."

CSOs also need to manage expectations. There is no such thing as a totally secure computer system and companies need to recognise this fact.

"There is a double-edged sword [in computer security]," said Karen Worstell, the newly appointed chief information security officer at Microsoft. "The issue is one of setting expectations. The worse thing you can do is over promise and under deliver."