CSOs need to keep evolving, CA security exec says

This is a transcript of a keynote address presented at the RSA Conference on Thursday by
Dave Hansen, corporate senior vice president and general manager for CA's Security Management Business Unit. The address is titled: "Strategic Security: The Evolving Role of the Security Professional."

Good afternoon.

Today, I am going to talk about security, but more specifically, I am going to explore the evolving role of the security professional.

In some organizations the senior security person is called the Chief Security Officer. Other companies use different titles – Vice President, Enterprise Security; CISO (chief information security officer); VP Security & Compliance, and so on. To keep things simple today, I am going to talk about the CSO, but please understand that my focus is on the senior-most security professional, no matter what title that role carries in your organization.

As everyone here knows, the job is changing. Not in quiet, imperceptible ways, but in ways that are loud, visible and meaningful.

When the role of Chief Security Officer emerged as a defined position, the common perception was that the role was akin to a corporate cop – on patrol within the organization to slap wrists when somebody broke the rules. Nobody really thought the cop was necessary, so, generally the position didn't get a great deal of respect.

But that's changed. In today's well-run enterprises, the CSO is more visible, has more authority – and more responsibility. No longer merely an enforcer of security protocol, the CSO works with the CIO, CFO and other C-Suite executives as a business enabler, a strategist, and a security evangelist who helps the organization recognize the need to embed secure practices in every facet of the business.

So what has brought about this change? And, how will the role of the CSO continue to evolve?

Let's start at the beginning – with why this job became necessary in the first place.

Connectivity was the catalyst.

The rise of the Internet and the proliferation of mobile devices enabled even small companies to extend their reach beyond traditional physical boundaries to create virtual businesses and execute transactions globally and instantaneously.

Suddenly, because information was now flowing outside closed, highly secured environments, confidential business-critical data was at risk like never before.

And organizations recognized that since they had to operate in this extended world to remain competitive, there was a need for greater security and for someone to take ownership of the issue within the organization.

As time went by and technology raced ahead, security issues grew more complex and more pressing. For most businesses an Internet presence and the ability to quickly transact business online became not merely an attractive option, but rather a business necessity.

Consequently, technology and the availability of IT infrastructures became critical not just for business success, but also for business survival.

As if the burden of responsibility on CSOs wasn't heavy enough, the rise of privacy and security regulation, including Sarbanes-Oxley (SOX) and the security standards of the Health Insurance Portability and Accountability Act (HIPAA), imposed a wide range of responsibilities and demands on companies to verify and safeguard data.