Subscribe Now

* You will receive the latest news and updates on the Canadian IT marketplace.

Trending News

Blog Post

Top three ways CSOs fail their organizations

Top three ways CSOs fail their organizations 

The best CSOs are those that also have a keen understanding of their company’s business, according to Dave Mahon, chief security officer for American telecommunications company CenturyLink Inc. 

In Canada, CenturyLink offers managed hybrid IT offerings including cloud, data centre colocation, managed hosting and network services and solutions. 

Dave Mahon CenturyLink

 “The CSO needs to understand the strategies approved by the board of directors so that he or she can develop and implement a security strategy that can help them achieve their business objective and protect the company assets,” he said.

For Mahon, this means there’s a lot on his plate. He is responsible for CenturyLink’s enterprise-wide security strategy, information security, cyber defense, critical infrastructure protection, physical security, network fraud and abuse, industrial security, international travel security, threat intelligence, workplace violence prevention, executive protection, investigations, and liaison with the National Security Telecommunications Advisory Council (NSTAC), National Cybersecurity and Communications Integration Center (NCCIC), as well as federal and state law enforcement and homeland security agencies.

Prior to entering the private sector, Mahon was a supervisory special agent with the Federal Bureau of Investigation. He was responsible for investigating violations of federal statutes in which the Internet, computer systems, and networks were exploited as the targets of terrorist organizations, foreign government-sponsored intelligence operations or criminal activities.

Related Content




In a recent interview with IT in Canada, Mahon discussed the growing cyber threats that companies face today and the key reasons why some CSOs fail to protect their organizations adequately.

According to Mahon businesses today face three main security threats:

  • Distributed denial of service (DDOS) attacks from lone hackers and hacker groups that could be supported by criminal rings or nation states
  • A spike and ransomware attacks
  • Crime-as-a-service and rent-a-botnet

Organizations continue to face the threat of Website defacement and disinformation hacks, and they can also look forward to the looming security nightmare brought about by the Internet of Things which will result in billions of devices hooked up to the internet.

Mahon cited these three factors that weaken that undermine a CSO’s capabilities:

Stuck on tech – Mahon said that many CSO’s tend to adopt a technology solution focus instead of a threat-focused approach when dealing with security risks.

“Their solution to a problem is to throw money and technology at it,” he said. “Instead they should be focusing on the adversary.”

When CSOs take the time to understand the threats and threat actors around them, the will have a clear view of how to protect their company assets proactively, said Mahon.

If you do not know what threat you are protecting your assets from, you will have an even murkier idea of what type of protection you need.

Having no enterprise-wide strategy – CSOs need to think about security in terms that go beyond the IT department and the data centre, said Mahon. As a senior executive of the company, they have to view security from the point of the c-suite.

In other words, the CSO is expected to provide leadership in identifying, prioritizing and assessing security risks. The CSO has to direct the company-wide efforts that cover security. The CSO’s mandate covers both technical and business aspects so the CSO also needs to lead in the planning and management of areas such as disaster recovery and business continuity.

“The CSO need to map the computing security environment to that of the company’s business environment,” said Mahon.

Failing to appreciate cyber risk management responsibility – The successful CSO is able to talk the language of the C-suite, said Mahon.

This doesn’t only mean that CSOs need to bone up on their boardroom jargon. CSO also need to develop a broader view of cyber risk.

For example, an IT manager could see a cyberattack as something that opens up the company’s databases to hackers. A C-level executive could see it as a PR fiasco or a litigation nightmare.

This final advice speaks just how broadly the role of the CSO has evolved over the years.

“Today, cyber risk management has become more of a risk management discipline,” said Mahon. “Think of risk broadly to encompass stuff like litigation. You’re not only preventing attacks, you also need to prove you’re doing it right, you need to provide evidence in court that your security program was adequate.”

Related posts