I was just reading an article called Does Facebook even need a CSO? – initially my reaction was (as most of yours I guess): “What a stupid question, for sure we need a CSO”.
However, is this true? Do we really need a CSO? Are there other models which would work as well? What is the reason we have one? Just compliance?
Let’s think outside the box. It is actually security we need. Security needs to be part of the culture and must be part of the agenda of the executive board and the board of directors. So basically if the different tasks are taken care of, it could work but will it?
I guess that the theme is way too important for most companies (even though not all of them realized it) to just bet on “somebody” taking a task and do it. We have seen that with a lot of different themes like diversity, privacy and a lot of others. I think we need a CSO but as I mentioned so often: The CSO needs a new job description and a different profile. The CSO needs a sound understanding of security but then needs to understand the business as well thoroughly. Like that he/she will not “only” take care of security but will add value to the business and the CSO is seen as a value-add.
If Facebook (or any other company) decides not to backfill a leaving CSO, I am wondering whether security is really taken seriously in this company. Ultimate responsibility is with the CEO and the business but not even in technology companies I would expect the top management to have the necessary bandwidth to deliver. I would even go so far to say that it is not possible to run sound security without a CSO keep the different initiatives together and making sure that there is a balanced risk exposure across the company. To be clear, I am convinced that the contrary does NOT hold true: If you have a CSO security is taken care of. That’s a fallacy – it still needs a lot of work and a full-hearted commitment by the top management.
What is your take?