By virtue of his employer, Scott Charney of Microsoft Corp. is probably the most widely recognized name among an emerging breed of corporate information security chiefs. Yet the onetime federal cybercop and prosecutor has been on the job in Redmond only about 10 weeks. He divides his time between figuring out how to secure Microsoft's massive and infamously insecure product line, andquietly wielding his clout in Washington on a number of government security boards and consortia.
What he doesn't do, however, is call himself a chief security officer, or CSO. His title is chief security strategist.
The distinction is quite deliberate. As Charney told me last week, he sidestepped the CSO title because it implies an internally focused, batten-down-the-hatches type of IT cop someone busier protecting corporate resources from the bad guys than thinking strategically about computer security.
"The focus of my job is not to protect Microsoft from hackers we have people who do that but how to make our products more secure," he explained. "I'm not the internal cop."
Smart choice, given the state of the CSO landscape these days.
As our story last week pointed out [QuickLink: 30109], many CSOs are on a slippery slope these days, unable to get a grip on a sustainable corporate mission. There's been a minor rash of high-profile departures by IT security chiefs from banks and brokerage houses, along with a major sense of deflating expectations. As one CSO told our reporter: "The greatest threat we face is the belief of senior management that there is no threat. So we don't get funds, money or resources."
There also hasn't been a notable surge of security job creation only more security duties assigned to already overloaded IT staffs.
Seems counterintuitive, doesn't it? Information security awareness is at an all-time high, and there's not a CEO on the planet who would shrug off the need to protect corporate assets or customer privacy. Yet in a recent survey by Booz Allen & Hamilton of 72 CEOs from large companies, only 54 percent of them had a CSO in place.
Now, some of the flagging fortunes of CSOs are no doubt connected to corporate IT's ongoing struggle made all the more acute by our lackluster economy to provide measurable business value.
When the CIO title started cropping up more than a decade ago, it was generally ridiculed as a useless, powerless position. The job churn among CIOs led to the quip that the acronym really meant "Career Is Over." Nobody's laughing now, of course. But that hard-won place in the executive boardroom isn't something many CIOs are keen to share with their security-minded colleagues.
So there they sit, between the proverbial rock and a hard place. What should the CSO job really be when it grows up? There's a credible school of thought that CSOs need to be as technically grounded and focused as CTOs. Then again, many of the more successful CSOs are showing up for work with extensive government and law enforcement backgrounds rather than roots in IT.
Whatever the ultimate mix of skills turns out to be, we need more strategists and long-term thinkers on the security front. Perhaps what we also need are fewer corporate titles subdividing the ranks of IT and jockeying for position outside the executive washroom.