Deciding whether you need an independent chief security officer is a balance of four issues: The number of external privacy and security regulations you face, the size of your customer base, the number of internal employees and the degree of privacy and security that customers demand for your information-for example, financial services and health care face high demands in this regard. When these factors change or get out of whack, it may be time to carve out a separate CSO role that reports outside of IT. Here are some clear warning signs that say you need a CSO.
1 You’ve lost track of what you have in the infrastructure.
2 The company has grown a lot or changed its business.
3 Your customers demand extra privacy and security.
4 You weren’t regulated and now you are, or the regulations have changed.
5 Your competitors start using their success with security as a competitive weapon against you.
6 The company doesn’t have an explicit written security policy or can’t enforce the one it has.
7 Outsourcing deals haven’t been examined for security issues.
8 Data has not been segmented into more secure and less secure.
9 Every manager and employee doesn’t believe that security risk is real, close by and imminent.
10 A major security incident has happened, and you need to rebuild trust with customers.