November 16, 2010, 2:20 PM — The dichotomies of business intrigue me. How, on one hand, can we see the role of the CSO become increasingly aligned with the business, resulting in elevating the CSO in the reporting structure to a senior-management position, while on the other hand, we see some businesses just don't really "get" security at all? It makes me wonder what's going on out there.
Last month in CSO, Bill Brenner showcased the results of the 2011 Global State of Information Security Survey, the annual report we conduct with PricewaterhouseCoopers and CIO magazine. Among the more interesting findings was that the requirements of clients are becoming a major justification for security investment at organizations of all sizes. These client demands are a natural evolution of the 50-page tell-me-about-your-security questionnaire that many of you receive from or require of your partners. Security is becoming a business-enabling, customer-focused arm of the business, and failing to have good security measures and practices in place limits your organization's ability to successfully engage partners and drive new business.
Here's one example: I spent some time this month with an attorney friend of mine who specializes in information security law. One of his clients was looking to move some of its services out to the public cloud.
After evaluating possible cloud service providers, they narrowed the field of vendors down to two: a large, familiar cloud provider, and a smaller upstart. As part of the final evaluation process, the client asked the providers about the security of their infrastructure. The large cloud service provider said not to worry about it, the company takes security very seriously. The client asked to speak with the vendor's CSO or CISO and was told that there was no such position at the company.
The smaller service provider, on the other hand, responded that, yes, it too takes cloud security very seriously, and would be happy to bring in its CISO for a debriefing. The smaller firm said it understands how important security is and was able to back up its statements.
The smaller company, though slightly more expensive, got the business. It took security seriously.