CSO 2.0: How to take your security program to the next level

Information security is changing rapidly. At each new security conference it seems as though there are almost twice as many new tools and new vendors than at the previous edition. Security incidents are occurring more often and with increased financial or reputational impact.

At the same time, resources for security and IT remain nearly constant. How do we do more with less, how do we govern in a rapidly changing environment? How can we be more in-tune with the needs of the business and make security a driver of change rather than a box to check? To take a page from a popular ad campaign, here's a look at some key elements for CSO 2.0s to have in their wallet for success in 2014 and beyond.

CSO 1.0

Little to no understanding of what makes the business tick

Focused on securing the external network only

Remains within the information security domain

Metrics and reporting to the business is primarily technical and security based

Relies on anti-virus and security technology only

Adds new security tools because they are trendy and everyone is doing it

CSO 2.0


Engages with and understands the business: Is in close touch with peer business leaders and has touch points and feedback loops across multiple levels of the business organization

Metrics that the business can understand risk based and tied to dollar amounts: Aligns security objectives with business goals, even trying to make security a driver for more business


Treats the external and internal network as hostile: With the proliferation of mobile devices and APT, the internal network must be treated as hostile as external; Add SSL for critical internal websites as you would on external sites

Proactive focus: Focus on proactive security measures such security training and continuous security scanning of production systems

IS Management

Risk and compliance based security approach to information security: Finds the right mix of security tools to address business risks and non-security tools such as legal agreements for risk mitigation

Holistic information governance approach: Works across the board with other data governance stakeholders such as privacy, compliance and legal to create a cross functional approach to data information and asset governance

What CSO 2.0 tips do you have in your wallet that you'd like to share? Please comment.

George Viegas, CISSP, CISA is Director of Information Security at a leading multinational information and media company based in Los Angeles.

Read more about security leadership in CSOonline's Security Leadership section.

Join the CSO newsletter!

Error: Please check your email address.

Tags compliancemetricssecurity industryproactive securityIS managementsecurity awarenessSecurity Leadershipbusiness managementdata protectiongovernancenetwork securitysecurity

More about APTCSO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George Viegas

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place