Philippines companies still lack CSOs

Von Jenalyn M.

Despite the growing and evolving threats in network security, there is still a lack of dedicated chief security officers (CSO) in the Philippines. This was the consensus among security solution providers during the recently held CSO Summit sponsored by Microsoft Corp.

Representatives from Computer Associates International Inc., McAfee Inc., Microsoft Corp., and Trend Micro Inc. all agree that local companies are either aware of a CSO but refuse to acknowledge the need for a separate security authority, or entrust all security concerns to the network administrator and the chief information officer (CIO) who, the companies believe, have sufficient knowledge.

According to Jojo Ayson, senior manager for Platform Security at Microsoft, the Philippines is not yet in the stage where companies have a dedicated security officer. He said the job often falls on the IT department, that is, the CIO or the network administrator.

Karl Verhulst, product marketing director of Computer Associates (CA) in South Asia, added that the person being groomed to be a CSO should be senior enough because the CSO can override the chief executive officer (CEO) when it comes to security matters. ?The issue is not having someone who knows what security is but someone who has the power to do something about it,? Verhulst said. The CA director observes there is an urgent need for companies to create a CSO position because security is not getting enough attention at the board level.

Viren Mantri, strategic security services principal of McAfee South East Asia and India, agrees with Verhulst, saying that the CSO should be no less than a management position. The CSO position is accountable for maintaining utmost security and has an independent reporting responsibility to the CEO and the board.

Given the definition of a CSO as a board-level or management position, Microsoft?s Ayson asserts that the Philippines is definitely not in that stage yet, but he believes the country is getting there. Apparently, however, the lack of a dedicated CSO is not only an issue in the Philippines. According to Mantri, even in Singapore and in some companies in the US, having a CSO is not yet a standard. ?Today, only the global organizations are the ones sure to have dedicated CSOs,? he said.

Although the Philippines is still in that level where most IT companies still relegate security responsibilities to the IT department, Ayson said that talking to customers has made Microsoft realize that local companies are, in fact, becoming more aware of the importance of focusing on security. ?There is definitely a growing awareness that you need a dedicated person and that he need not be an IT person or even a tech-savvy individual,? said Ayson. He added that the CSO should, in fact, be an enabling position responsible for threats and risks in the organization. Finally, the CSO should also have the power to state how much of the total IT budget should be allotted to security.