Security management for today’s businesses and corporations is complex. A company’s Chief Security Officer (CSO) is charged with identifying the organization’s assets then overseeing the documentation, development and implementation of any necessary policies/procedures for the protection of those assets. The CSO’s responsibilities may be divided into four basic categories: Information Security and Audits, Security Basics, Physical Security and Business Continuity, and Security Leadership.

Information Security and Audits

Penetration Tests: CSOs who work effectively use the penetration tests required perform by audit requirements/regulations to gather the most useful data possible. A penetration test is designed to identify and exploit any company vulnerabilities. Follow the data to develop a profile of the potential attackers. Consider all the potential vectors for attack, then design the rules of engagement and choose the attack team. After the attempt, report the findings to measure progress then develop and implement any changes needed.

Cloud Use: There are many security issues raised about industry and corporations’ use of cloud computing. Its plug-and-play immediate use makes it appealing and easy to use. It also makes it impossible to assess conclusively for relative risks. Though the Cloud Security Alliance (CSA) is working on this, security in the cloud will continue to be a major concern into the near future.

Log Management: The CSO is responsible for log management, which involves defining what information the company decides to log, how to do it, and how long to keep the information. This actually requires the use of Business Intelligence (BI) systems, as many of the same functions in a BI are used in log management (such as data extraction and warehousing). In the BI system, this data can be available to the whole organization and not just stored in a silo. The operations staff has access to the data for trends analysis for longer time periods than ever before, improving the business’ overall security. SIEMS (System Information and Event Management System) takes log collection to the next level through aggregation, correlation, alerts and reports.

Vulnerability Management: Vulnerabilities are the gates through which threats enter the enterprise. The more applications a company deploys, the more vulnerabilities it creates for itself. Security management must identify the primary threat vectors within the company. The biggest danger is the power of a threat to gain a toehold somewhere, and then pivot to another part of the system. Vulnerability testing may be conducted with pOf (passive OS detection), Nmap, Nessus or Hping. When vulnerabilities are discovered, they must be dealt with or the testing does not achieve anything.

Network Security: The keys to information security are to build the network/system correctly initially,then know the traffic coming in and out of it. Perform a threat vector analysis, then ensure there is Role-Based Access Control (RBAC). Separation of duties and separation of services is effective when money is handled. Cryptography is highly effective.

Endpoint Security: The use of wireless networks continues to grow. Cell phones and PDAs are connected to the Internet at all times. CSOs must help their organizations understand that it is essential for their safety to engineer security on these devices themselves as endpoint security. Service Oriented Architecture (SOA), which online banking has, is the wave of the future.

Wireless Security: All the new web-friendly smart phones devices have the central threat of call interception during transmissions. The primary protection for wireless networks is encryption and authentication.

Phishing and Identity Theft: The new prevention technology of sender authentication holds promise for reducing phishing attempts and attacks. Companies have altered the ways they use email to their customers to prevent identity thieves from using it.

Identity Management: Identity and access management really go hand in hand. The identity management system must have a directory of personal data system users, ways of regulating access, security policies, password resets, lifecycle management and an auditing system.

VoIP Security: Security vulnerabilities are increased with the introduction every new IP device into an enterprise’s network. Threats such as DoS and DDos attacks, eavesdropping on the core network, no hardening among VOID items by their vendors and SPITing occur. Companies must require proof of hardening from vendors before buying smart phones or IP IBXs for safety. Make sure factory default passwords are changed when equipment is received and before it is installed for use. CSOs must stay educated on threats/solutions related as VOIP use becomes more prevalent.

Physical Security and Business Continuity

Fraud Prevention: The CSO must make the business the least attractive target possible. Strong internal controls are the first step. These must be fluid and evolve over time as the business grows and changes. Technology and societal fraud evolves as well. So do legislation and regulations. Most helpful, though, is educating the entire workforce so that they see themselves as partners in this holistic process. Fraud is far more likely to be discovered through a tip than any other method. Everyone helps protect the bottom line.

Physical Security Information Management (PSIM): Combining IT with BI to synthesize and analyze data from physical sensors, videos, and logs, it then becomes information which can be used to make decisions on security and business practices. The supporting technologies and processes of PSIM make it the foundation of security’s next generation. The trends today that are making it more affordable and practical are: CEOs are asking for more and more data; new security data aggregating/correlating software is available; traditional processes are becoming dated; businesses are using more and more critical functions software; PSIM principles produce improved situational awareness; and technology product costs continue to drop.

Video Surveillance as a Service (VSaaS): Cloud computing meets video surveillance as VSaaS systems are hosted by traditional video management (VME) and camera software companies at much lower costs.

Social Engineering: Scam artists exploit human psychology through social engineering to gain access to vulnerable spots and wreak havoc. The remedy is education of executives and staff on the methods used by social engineers.

CCTV: NICET (National Institute for Certification in Engineering Technology) has certification programs for system designers and installers. To save on bandwidth consumption and thus save money, the CSO can time the frames per second (FPS) on CCTV to any alarm activity so that when it is most needed, there will be high resolution frames of film.

Executive Protection: Executive security agents must be trained to identify potential threats and react pro-actively, drive defensively, defend against an attack, stay fit, treat emergency medical situations and maintain a professional appearance and demeanor. The CSO may also have to educate and persuade the executive to understand and acknowledge the need for and benefits of personal protection.

Business Continuity: Businesses are not exempt from man-made and natural disasters. The CSO may be called upon to oversee the plan and put it into action in an emergency. The most important part must be communication with all the employees.

SECURITY LEADERSHIP

Enterprise Risk Management: To enable much more sophisticated means of risk management, managers must allow themselves to see the big picture and all the inter-relationships among areas of risk. Companies will be able to do more with the resources they already possess. Holistic risk management saves money. ERM reduces costs, improves efficiency, closes gaps in risk and prepares enterprises for the increasing need for regulatory compliances.

NEW BASICS OF SECURITY LEADERSHIP

Security managers and executives today need to learn to develop and use risk analysis metrics. Then they need to use benchmarks to develop ROSI (return on investment) data. CSOs need to educate their executives about organizational threats, likelihoods, consequences and their costs versus the effectiveness of possible fixes. The business leaders make the final decisions on acceptable risks and remedies to put in place.

The CSO then serves as the point of contact for overseeing the security program so the CEO and others always know who to contact for updates and other information. With this holistic view of risk, there is collaboration and coordination across all areas of risk so that the employees are adequately educated to better understand the entire enterprise’s total risk picture in today’s constantly changing business environment.

Learn More

Learn to identify and analyze potential workplace hazards, infractions and risks through a bachelor of science in occupational safety online. At Eastern Kentucky University, you will gain a graduate-level education by industry-experienced educators and fire and safety professionals who are committed to teaching and preparing you for continued success.

Sources:

http://www.csoonline.com/article/2123860/identity-access/security-basics.html

http://www.securitymagazine.com/article/83130-the-security-leader-beyond-guns-guards-and-gates