Beyond the hype reports have focussed on what these IT professionals actually do, and how they fit into an IT division's organisational chart.
When ZDNet Australia recently spoke to US-based Arthur Wong, VP of security response at Symantec, he talked of the need for companies to focus on security, yet admitted that not enough organisations had a specific CSO.
Wong argued that CIOs were suffering information overload about vulnerabilities and viruses and consequently could not digest it all properly.
He said there needed to be more training, education and awareness of security in organisations. Wong said that in the past IT generalists within companies had been responsible for security. However, as they continue to try and combat security threats, hackers and intruders were becoming more sophisticated in their attacks.
Yet the growing focus on security in enterprises doesn't necessary translate into a specific CSO job title. Michael Warrilow, practice leader for security in Asia Pacific at industry analyst META Group, agrees that the importance of a CSO is absolute. "But we believe that the adoption of the role in the true sense of the word is quite low," Warrilow said.
"If you look at what organisations are spending on security within their IT budgets, it's still very low," he said. "Nearly half of them spend less than 1.5 percent of the total IT budget on security--that's in Australia and worldwide."
However, Warrilow added that IT spend devoted to security did vary depending upon the industry--for example, finance organisations typically spend more because of the high level of risk and the value of their transactions.
Warrilow said adoption of a CSO role in Australian organisations was quite low, but added that most organisations would have someone within the IT department who managed security from a technology perspective.
"But for the role of CSO they need much more than a technology focus," he said. The ability to negotiate at an executive level and a strong business background were among the skills he cited as essential to the position.
Typically, Warrilow said a CSO would be someone who had been a CIO, or who was the second in command to the CIO and being groomed for that position. Nor does a CSO necessarily report to the IT department head--instead answering to the CFO, COO or direct to the board or an information security steering committee.
Foad Fadaghi, senior analyst at IDC Australia, also thinks there was only going to be a limited outbreak of security positions at the C-Level in Australia.
Fadaghi estimates that only about one percent of businesses here are spending AU$10,000 to AU$20,000 per month on security, particularly given the large number of SMEs. "There's only a limited number of companies that have budgets that reflect the requirements to have a dedicated CSO," he said.
But Fadaghi said there were benefits for organisations which chose to have a CSO who dedicates their focus only to a specific aspect of IT within a company. He said there also might be the benefit of allowing the CIO to concentrate on areas such as infrastructure or strategy.
Likewise, Steve Bittinger, research director at Gartner, said that whether or not an organisation needed a CSO was on a case-by-case basis.
One of the factors Bittinger sees as influencing this decision was the organisational maturity in understanding the importance of security. Cultural transformation and someone at the business level to champion the change were part of this maturity, he said.
"The chief security officer role suits organisations that have a mature understanding of the opportunities for competitive differentiation in their industry," Bittinger said.
6%
2%
