http://whohastimeforthis.blogspot.com/2005_12_19_whohastimeforthis_archive.html

Speaking of the limits of rationality, often it is ignorance, not brain structure, that impairs the quality of our decisions. Sometimes we simply need to get a little expert help. That’s why Bessemer (led by Rob Stavis of Skype fame) incubated and funded SiteAdvisor, a security startup with a fundamentally new approach to defending the flock of internet users from hungry predators…A flawed premise characterizes the plethora of internet security technologies–a mismatch that fuels the growing scourges of spam, phishing and exploits. The flawed premise is that Users will be secure if they have the data to decide for themselves whom to trust.Thanks to this superficially compelling idea, we have applet signatures, SSL certificates, 30 page online license agreements, and pop-up warnings when we are “about to enter an insecure website.” Do any of you really stop what you’re doing because of obscure language in an online license agreement, or because a pop-up window alerts you that an SSL certificate has expired? We all know what really happens, with the inevitable consequence that we are spammed, phished and exploited.The idea that more information protects us springs from early technologies like PGP that relied on a rudimentary social network to convey trust. For a small community of 10,000 programmers who actually understood the details of public key encryption, PGP worked well. But for a billion internet users bombarded with technical jargon, too much information annoys far more than it defends. Sometimes fewer options are better (see prior post on the negative value of options when decision-making is sub-optimal).SiteAdvisor tackles the problem of internet security by offering expert recommendations while you surf. For example, maybe you don’t really want this Google search result, because that web site links to a lot of malicious sites (see icons added to the search results on the right). Er, are you sure you want to enter your real email address in this form? If you do you should, based on our tests, expect 254 emails per week in your inbox (see second screenshot)…In a sense, SiteAdvisor extends the functionality of Websense, going far beyond content analysis. For example, SiteAdvisor’s software analyzes the impact on your desktop from downloaded code, the security of pages referenced by hyperilnks, and the number of messages you should expect from sharing your email address. You can read a comprehensive review of SiteAdvisor in an article published today by Ben Edelman at Harvard titled “Deciding Who [sic] To Trust“. Screenshots that illustrate the depth of SiteAdvisor’s analysis are available here.Profiling may be a dirty word in US airports, but it is widely hailed as an effective–and even critical–security mechanism. SiteAdvisor elevates reputational internet profiling to a higher level by encompassing all the elements of a web site–not just the public key, URL, IP address, or applet cert.Personally, I will feel much freer to explore the back alleys of the net with a bodyguard watching my back.

http://www.csoonline.com/research/leadership/cso_role.html

The title Chief Security Officer (CSO) was first used principally inside the information technology function to designate the person responsible for IT security. At many companies, the term CSO is still used in this way. CISO, for Chief Information Security Officer, is perhaps a more accurate description of this position, and today the CISO title is becoming more prevalent for leaders with an exclusive infosecurity focus.
The CSO title is also used at some companies to describe the leader of the “corporate security” function, which includes the physical security and safety of employees, facilities and assets. More commonly, this person holds a title such as Vice President or Director of Corporate Security. Historically, corporate security and information security have been handled by separate (and sometimes feuding) departments.
Increasingly, Chief Security Officer means what it sounds like: The CSO is the executive responsible for the organization’s entire security posture, both physical and digital. CSOs also frequently own or participate closely in related areas such as business continuity planning, loss prevention and fraud prevention, and privacy.
Several forces are driving this trend to combine all forms of security under a single organizational umbrella. At a tactical level, technology is being infused into physical security tools, which are increasingly database-driven and network-delivered. At a strategic level, CEOs and corporate boards, motivated in part by regulations such as the Sarbanes-Oxley Act, desire an enterprise-wide view of operational risk. And at a practical level, CSOs say a cohesively managed security function can deliver better security at lower cost.

Sample CSO job description
This is the top security executive in the company. He or she will report directly to a senior functional executive (CEO, COO, CFO, chief administration officer, head of legal counsel). The CSO will oversee and coordinate security efforts across the company, including information technology, human resources, communications, legal, facilities management and other groups, and will identify security initiatives and standards. The candidate’s direct reports will include the chief information security officer and the director of corporate security and safety.
Responsibilities:
§ Oversee a network of security directors and vendors who safeguard the company’s assets, intellectual property and computer systems, as well as the physical safety of employees and visitors.
§ Identify protection goals, objectives and metrics consistent with corporate strategic plan.
§ Manage the development and implementation of global security policy, standards, guidelines and procedures to ensure ongoing maintenance of security. Physical protection responsibilities will include asset protection, workplace violence prevention, access control systems, video surveillance, and more. Information protection responsibilities will include network security architecture, network access and monitoring policies, employee education and awareness, and more.
§ Maintain relationships with local, state and federal law enforcement and other related government agencies.
§ Oversee incident response planning as well as the investigation of security breaches, and assist with disciplinary and legal matters associated with such breaches as necessary.
§ Work with outside consultants as appropriate for independent security audits.
Qualifications:
§ Must be an intelligent, articulate and persuasive leader who can serve as an effective member of the senior management team and who is able to communicate security-related concepts to a broad range of technical and non-technical staff.
§ Should have experience with business continuity planning, auditing, and risk management, as well as contract and vendor negotiation.
§ Must have strong working knowledge of pertinent law and the law enforcement community.
§ Must have a solid understanding of information technology and information security.