CSO 2.0: How to take your security program to the next level

Information security is changing rapidly. At each new security conference it seems as though there are almost twice as many new tools and new vendors than at the previous edition. Security incidents are occurring more often and with increased financial or reputational impact.

At the same time, resources for security and IT remain nearly constant. How do we do more with less, how do we govern in a rapidly changing environment? How can we be more in-tune with the needs of the business and make security a driver of change rather than a box to check? To take a page from a popular ad campaign, here's a look at some key elements for CSO 2.0s to have in their wallet for success in 2014 and beyond.

CSO 1.0

Little to no understanding of what makes the business tick

Focused on securing the external network only

Remains within the information security domain

Metrics and reporting to the business is primarily technical and security based

Relies on anti-virus and security technology only

Adds new security tools because they are trendy and everyone is doing it

CSO 2.0


Engages with and understands the business: Is in close touch with peer business leaders and has touch points and feedback loops across multiple levels of the business organization

Metrics that the business can understand risk based and tied to dollar amounts: Aligns security objectives with business goals, even trying to make security a driver for more business


Treats the external and internal network as hostile: With the proliferation of mobile devices and APT, the internal network must be treated as hostile as external; Add SSL for critical internal websites as you would on external sites

Proactive focus: Focus on proactive security measures such security training and continuous security scanning of production systems

IS Management

Risk and compliance based security approach to information security: Finds the right mix of security tools to address business risks and non-security tools such as legal agreements for risk mitigation

Holistic information governance approach: Works across the board with other data governance stakeholders such as privacy, compliance and legal to create a cross functional approach to data information and asset governance

What CSO 2.0 tips do you have in your wallet that you'd like to share? Please comment.

George Viegas, CISSP, CISA is Director of Information Security at a leading multinational information and media company based in Los Angeles.

Read more about security leadership in CSOonline's Security Leadership section.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags governancebusiness managementcompliancesecurity industrydata protectionnetwork securitymetricsSecurity Leadershipsecurity awarenessproactive securityIS management

More about APTCSO

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by George Viegas

Latest Videos

More videos

Blog Posts