Here's what I mean.

Today, the necessity of secure transactions and relationships among the organization and its employees, customers, partners and vendors is a given.

The CSO must ensure that the organization is fully and securely Web-enabled and that business applications are automated so that the organization can transact and compete better than before -- on a global scale.

Take the financial services industry for example, where IT is not only important to the business, increasingly IT is the business -- it's all about the digital representation of currencies. In that environment, security can never be an afterthought. It must be integral to every aspect of the business.

As a consequence of this convergence, the whole definition of security within the context of IT has changed.

Security is now not merely about keeping bad guys out and locking up data. It's about enabling business -- it's about protecting the organization, while reducing costs, driving efficiencies and enabling growth. And that requires a 360-degree view of security.

So if the CSO arrived in the organization as a cop, what's the analogy today? I would say that we've moved away from the enforcement paradigm and into something much more nuanced and sophisticated.

The CSO today is a business leader -- with technological expertise.

To have a 360-degree view of security, today's CSO must have a 360-degree view of the organization and understand how IT systems translate into business services. The CSO must understand the organization's business priorities and must be thinking about how IT can align with those priorities.

At the same time, the CSO always must be balancing technical protection requirements with business value and scrutinizing any business action that threatens to compromise security.

There's a lot of debate about to whom the CSO should report. Some favor having the position report to the Audit Committee of the Board of Directors. Some say it should be the office of the Chief Counsel. Others say the CIO or even the CEO.

Certainly, I would agree that with so much riding on the function, having the CSO buried deep in the organization no longer makes sense. But where exactly the CSO reports is less important than ensuring that the CSO is working closely with the organizations senior leaders. Security demands an executive voice with the appropriate degrees of insight and muscle behind it.

I am sure that all of you work in organizations that recognize and value the role of the CSO. But I know that there are still a few Chief Information Officers that haven't engaged their CSOs on a strategic level.

Here's what I mean... [shows video clip]

Now let me point out that I am not CA's Chief Security Officer.

What you saw there was acting.

Our CSO is here today. His name is Bill Taub. When I was CIO, I knew exactly where he sat. And our current CIO, Steve Savage, does too.

The point of the film was simply to underscore that as Chief Information Officers have assumed a strategic role within many businesses, they increasingly look to the CSO to contribute to driving business value. (Read related story, "Are CIOs losing their mojo?")

Having been the company's CIO before taking over CA's security business, I know about the pressure coming from the CIO.

I know what it's like to have the Board, the CEO, auditors, regulators, and everyone with whom our company interacts relying on the CIO to ensure the integrity of our entire enterprise infrastructure, our applications, our data and our employees' private information.