MIS UK recently met with its Basle-based chief security officer (CSO) Andreas Wuchner-Bruehl to find out about the information security concerns of the organisation.

What does a CSO do?

I deal with what 30 years ago was a problem with piles of paper and now is a problem with memory sticks, but the issues are the same. The job is about managing risks. So here we have a split between physical security, information security (policies and reviews) and IT security, which we all pull together via a common management council.

What are your top concerns?

One of our current focus areas is ensuring our applications are more secure. It is a process that mirrors what we achieved with platform and infrastructure security over the past three years.

Then there is the ongoing work on designing a consistent security architecture based on Novartis’ business objectives. This is an approach that isn’t about IT security products but a more people, processes and technology mindset.

We are also looking at increasing security in many areas of the organisation in order to anchor security focus and discipline into the everyday job profiles of the work force. We’re looking at a number of ways to do this for different layers of the team, such as key performance indicators for management and objectives for operational people.

Is security a technology or a culture problem?

It’s about people, processes and technology. Using a technology-centric approach would mean we would never be able to address all the existing business risks of a company this size.

Should all companies have a CSO, or just the bigger enterprises?

The answer is different depending on the size, the industry and the individual risk of each company. For me, a security conscious culture up to the upper management level is much more important than a named CSO who in reality may lack the power to address any risks.

What is the one thing you wish you knew when you started?

I am a major advocate of management of the problem: it’s only what I can measure that I can manage effectively, as the business gurus say. It has to be more than a gut feeling. Measurement in the security context of course is not always easy and it is not getting any easier. So I am also a believer in getting the right expert advice to help me deal with this. So I’d say, involve experts right at the beginning – or in other words, know what you are really good at, do that, and for everything else, hire or find experts capable of doing what you can’t more effectively.