The start of outsourced CSOs and Security Specialists?

January 20, 2009

I thought about using the term (and have many times in the past), “virtual” CSO, but that sounded a bit wanky. This is something that I thought would take off a while ago, but like all else in our industry, things move slowly and little has happened.

With this “economic downturn” (yeah, I know…it’s been overdone also but reality is reality), I do think organisations are going to start to think about this. Staff are being laid off, sadly, but key aspects of the business still need to be in place – for regulatory requirements and moreso, just for the security and viability of the business.

I think in 2009, many companies are going to look for “specialists” (outside consultants from specialist firms – hopefully not, the usual mobs who’ve milked them of money for years for no result….yeah yeah….we know who I am talking about), in this field to replace people who have been made redundant – many who also were promoted to senior security roles that they were not capable of doing, nor ready for, ie; being able to work to a level that would be to the real benefit of the organisation. Read on….

I don’t just sit here and bag CIOs solely as anyone who has read BorB or knows me well enough knows. 80%+ people with security in their title from my experience have no business having that title and the only loser is the company they work for. (They personally will eventually be found out…karma hey…hopefully?! Aside: Also, gees this industry is full of big talkers with little substance). Don’t get me wrong. When I say 80%, it isn’t within organisations following a pattern – ie; 80% are useless in there. No. We work with some awesome organisations where almost everyone we deal with knows there stuff. I am talking across the board.

Anyway, back to the topic…..I think/predict that organisations will start to engage “specialists” as their CSOs – working outside of IT departments, outside of the business management team directly and providing that unbiased opinion/oversight/management and direction for those organisations.

If you’re not aware of this, many large global corporates use consultants for security (physical – or whatever you want to call it). eg; Russell Crowe’s movie “Proof of Life”. That’s not just a movie – it is real world stuff. I know. Why will, or should our industry be different?

Now I may be drawing a long bow here….and I probably am and the similarities are a way off…..but are they really? ….. When you get serious about something for one reason or another, you do eventually call in specialists for the work that your internal people cannot do. Unless you are a large bank or the like, you’re not going to have those specialists. Pretty much fact in the majority of cases. So when you start to take security seriously, (analogy to the physical security world), you get the specialists in.

Is that a trend we’re now going to see from here on in? I think so. I also think it is the only sustainable way for most organisations.

I welcome your thoughts as usual.

Comments (0)

Posted in: Bad Stuff, Forensics, Risk Management, Vulnerability Management, cyber crime