Data breaches are continuing to increase in size and frequency. The recent string of high profile breaches have underscored the need for better information security awareness from the average employee to the board of directors.
The value of hiring a chief information security officer (CISO) is increasingly clear. Their role is to counsel the executive team and board members on how to consistently protect the enterprise’s crown jewels. Managing perception is as important, and having a CISO in place signals that a company is serious about protecting information.
As the threats to organisations increase, the visibility of the CISO also increases. For this reason, it’s important to think through the critical success factors.
Translating into business-speak
Research from the Ponemon Institute reveals that just 6% of security professionals report they are highly effective at communicating risk factors to senior management.
Unless the executive team clearly understands the importance of protecting information, the resources and budget to do so will not be allocated. 29% never communicate with senior executives and 31% indicated that the only time they meet with the executive team is when a serious security issue has been discovered.
If the CISO is responsible for the entire information protection lifecycle, how can they do so effectively if they rarely communicate with the rest of the leadership team?
Communicating in terms that the whole company understands can be a challenge. Protecting information is a complex topic and has its unique vocabulary. Translating the vocabulary into business terms is more challenging if the business is in a non-technical sector. This void is one of the most important for the CISO to fill.
With threats from nation states, criminal organisations and groups such as Anonymous on the rise, more CEOs are recognising the need to hire a CISO to drive information security and risk strategy.
A critical component of the role is to support a CEO in communicating that strategy clearly to all employees. Additionally, keeping a consistent dialogue open with the rest of the executive team will help minimise the risk to the business.
If the right dialogue is happening from a security leadership perspective, the business will be engaged. This means the general counsel, compliance, technology and business leaders all need to participate in the conversation. By facilitating the dialogue, a company will be able to align security with business and technology strategy.
The question of reporting structure
There are still many companies that do not have a CISO and, in companies with a CISO, most report into the CIO. However, the mission of the CIO is different than the CISOs.
The mission of the CIO is to provide business solutions and it’s the CISO’s role to keep the environment safe. As a result, more organisations are recognising that the CISO needs to report directly to the CEO and have regular access to the board.
If the CISO reports to the CIO, this usually results in putting security and technology at loggerheads. The priority for the technology team is technology adoption, but a security team vets the technologies against the company’s security and compliance requirements.
Security’s mission is to ensure that the environment has the proper controls and that the risk level is minimised to a level that makes sense for the business. That requires a different set of skills and a fundamentally different mission than the technology organisation.
Whether a CEO employs a CISO or not can depend on the size of the organisation, and if they have enough depth and breadth of security expertise. It may not be practical to have a CISO and a CIO for a 1,000-person company. In this case, it could make sense to combine the technology and security roles.
That person can still set smart security strategy and rely on his team to do the day-to-day work of minimising risks to the organisation. The most important thing for a mid-size company is to identify someone in a leadership role that is responsible and accountable for the security programme.
Enterprises should take note of the fallout from the Target data breach in what has been the clearest example for the need to employ a CISO. The first casualty was Beth Jacobs, the then CIO. Next Gregg Steinhafel, the CEO himself, was forced to resign after dismal holiday quarter earnings, typically the period that generates the lion’s share of retailer earnings. Institution Shareholder Services (ISS) called for the resignation of seven of Target’s board members for failing to provide the right level of oversight.
>See also: The CISO – enabler of innovation
In that harsh light, it becomes increasingly clear that large organisations should invest in a CISO to set the right direction. Traditionally, an instinctive reaction is, “What’s the tool I need to buy to solve a problem?”
Managing human behaviour is the most important objective for an enterprise, and part of this is helping all employees understand what they need to do to protect information as part of their job.
While it’s important to have the right technology tools, an organisation needs a combination of people processes and tools. With the appropriate guidance, and the right security controls in place, the CISO can partner with the executive team to create a resilient business and protect its brand and reputation.
Sourced from Bob West, chief trust officer, CipherCloud