Are firms wising up to the business of security?

More companies than ever are employing a dedicated chief security officer (CSO) as the number of threats facing business continue to rise.

The CSO is also taking increasing responsibility for compliance as the regulatory landscape becomes more daunting, according to one leading security executive.

Research from the Economist Intelligence Unit shows the number of CSOs taking ultimate responsibility for the security of a business has almost doubled year-on-year. Although the CIO still has sign-off on security decisions in 30 per cent of organisations, 12 per cent of respondents said they now have a CSO who assumes that responsibility. This is up from seven per cent last year.

Denis McCauley, director of global research at the Economist Intelligence Unit, told silicon.com: "The status of the CSO is rising."

And with the rise of the CSO comes a closer relationship between security and the core business, according to Martin Carmichael, CSO at McAfee.

Carmichael told silicon.com: "I think CSOs should be more business focussed. The CSO has to be a very unique person. They have to understand the technologies but while I could go on about cryptography and prime number theory there isn't a CEO in the world who wants to have that conversation."

"We need to be able to communicate in business language, not technical language," said Carmichael.

CSOs must also learn to deal in risk and not the absolutes of 'secure' or 'insecure' which may be the traditional mindset of CIOs and IT managers.

'Acceptable risk', based on business needs and budget are a more realistic objective for the CSO, said Carmichael.

"I can harden an environment to the nth degree but I can't afford that," said Carmichael of the realities of his role, adding that CIOs and IT managers who progress into the CSO role often have "an epiphany" when they realise the world can no longer be divided into 'secure' and 'insecure'.

The EIU research also revealed that the share of IT budget being spent on security has increased from 15 per cent to 18 per cent year-on-year.

"The seriousness and severity of security threats is perceived as being on the rise," said the EIU's McCauley.