JTC Corp. does not have a CSO, he adds, but where IT security is concerned, the CIO holds responsibility. "We have an IT security organisation with an assistant director appointed as IT security manager to execute our security programmes through an IT security technical committee. This committee is in turn overseen by an IT security steering committee chaired by myself and my assistant CEO."

This is typically the structure that governs the IT security function, he adds. "Typically, the CIO, through his IT security manager, has the responsibility to establish the baseline IT security standards and policies for the organisation, enable the organisational set-up to execute them, and develop the programmes to promote awareness, education and training."

A check with other mid-sized to large Asian enterprises yields the same findings. At Thai Airways, the CIO, too, holds responsibility for IT security. VP of IT Services Bu-nga Kornvinai says it has not appointed a CSO to take care of IT-related security. "However we have established a security committee chaired by myself, to set security standards and procedures," she adds.

At the Urban Redevelopment Authority (URA), Singapore's land planning agency, IS head Peter Quek says it has not created a CSO position, and IT security comes under the CIO's responsibility. "We don't create the title. The more important consideration is to have a senior executive or committee to take on responsibility and accountability for the security role. At URA, we have a security working group chaired by myself assisted by my security administrator, that looks at security policy, protection, detection, audit and recovery, and a high level IT steering committee chaired by senior management. Security needs to be managed at a high level."

At Dutch banking giant ABN AMRO, the situation is the same: security is tightly connected to IT. Vincent Lew, regional head of Technology Risk Management, Asia Pacific, says his organisation forms part of the IT function at ABN AMRO, and he has a reporting line back to both the regional CIO and the global head of Strategy and Risk Management based in London. "In the Asia Pacific, I don't see [the security function] moving out [of IT] anytime soon, as so much of what we do in banking and financial services is about systems and data processing...so it makes more sense for security to be within the IT organisation for functional and operational purposes. The security function generally started from IT, and, having been around only in the last 15 years or so as a result of the Internet, it is a young industry compared to [the other IT disciplines]."