Despite its spin, the term Security 2.0 might not be all marketing after all. According to IDC's Eric Domage, Research Manager, Security Products & Services, the term defines quite precisely what will be CSOs next duties in a business world. "Far from only protecting the IT, the security 2.0 mission plan involves creating value in a changing landscape, a world increasingly fluid and fundamentally insecure", says Domage.

Addressing CSOs during the 7th IDC Risk Management Conference in Paris, Eric Domage urged them to consider IT Security as a business enabling tool, and not just a technical necessity. "To view a security policy only from a technical point of view is a dead end", warns Eric Domage.

And the truth is, of all the advices given that day to the CSOs attending the conference, none was technical. The focus was rather on processes and their checks, and how to bring the management, the users, the CSO and even the regulatory bodies to work together.

IDC offered a few pointers to help reach that goal. Unsurprisingly, most of them are of the educational and not the technical inventory:  

• Public discussion about security incidents.
• Need to convince the upper management of the importance of security, and not just the IT people (aka "seducing the IT challenged and not the IT gurus"). 
• Systematic evaluation of ROI (albeit quite a difficult task when it comes to security investments)
• Public acknowledgment of security's added value (better customers trust)

Already a competent geek and a high-level manager, the CSO now also has to become a BOP, Business Oriented Professional. Only when he will be able to talk the business lingo will he convince the upper management regarding the need for a strong security practice. 

This calls for a new view upon risk management. "Be suspicious about the newcomers just as the one who just quit the company, about the managers or the brightest elements. Any of them could be tempted to bypass your security checks for what they think are excellent motives", adds Domage. And of course, the shadow of Société Générale's recent scandal served his purpose, Eric Domage warning that "The next Jerome Kerviel might very well be already working for your company".

With this Security 2.0 process underway, it's time to think about its updates. Eric Domage concludes his presentation summing up four areas the CSO 2.0 will need to address repeatedly : 

1. Information Warfare : management of what comes in and out, and the company's knowledge.
2. Bits and bytes : traditional malicious attacks on the IT.
3. Compliance : both internal and external compliance, to business and legal regulations.
4. Security as a Business : always create value.