Resources for Federal Financial Institutions Examination Council (FFIEC)

Is the CSO a toothless tiger?

www.zdnet.com.au

In some Australian organisations the CSO is a toothless tiger and employed only to meet regulatory requirements, which can lead to companies limping from one IT security disaster to another.

Many financial institutions and government agencies require a CSO to meet compliance audits for such benchmarks as PCI, Sarbanes Oxley and ACSI33. It's often asserted that meeting these benchmarks is the only reason the role exists."I could name you a dozen organisations we've talked to in the last few months that put in new security infrastructure purely for the sake of compliance," said Carlo Minassian, founder and CEO of managed security service provider Earthwave. "They pay 200K to hire a CSO, tick a box, and they are compliant. But beyond that, the CSO is given no budget, struggles to get a say in the boardroom and gets very bored of the job. Nobody is hired to manage the IDS and Firewall, logs aren't monitored, software gets three years out of date and nobody notices," he said.

The CSO has essentially become a "scapegoat", says Wayne Neich, country manager for security vendor BlueCoat.

View the Resource

Share or bookmarklet this web page at: