In order to better align security with the risks that organizations face, the CISO role, or chief information security officer, needs to be made more accountable at the board level to ensure that there is board-level visibility into their activity. However, in many organizations, this is not the case. A recent survey by PwC found that 57% of CISOs report to the chief information officer, or CIO, or the head of IT in the organization, whose role is primarily to ensure that IT systems run efficiently. This can leave the CISO feeling pressurized to contribute to the successful implementation and running of IT systems, rather than being in the position to influence security spending decisions and support overall risk-management objectives at the board level.
According to researchers at IDC, the CISO role should be to protect the organization’s reputation, data, and intellectual property, as well as to guide the implementation of innovative technologies to ensure that all business transactions are conducted securely. However, a recent study conducted by Deloitte, on behalf of NASCIO, among public sector CISOs found that, while the majority state that cybersecurity governance and strategy should be the key initiatives they undertake, 86% state that the lack of sufficient funding is the key barrier to effectively addressing cybersecurity.
Technology and the innovative business models that they enable are evolving fast, presenting organizations with new business opportunities. Yet developments that organizations are embracing, such as virtualization, cloud computing models, social media, the consumerization of IT, greater freedom through mobility, and increased levels of outsourcing, also increase the risks that organizations face. In order to embrace the opportunities that such developments enable, organizations need to empower their CISOs to be able to view security from a business-risk perspective, rather than one focused on IT control. Further, as the threats facing organizations grow in complexity and sophistication, security must be considered to be core to the overall strategy and management of all organizations. Compliance mandates are becoming ever more stringent, requiring greater oversight of security within the overall risk management objectives of all organizations.
Organizations will never truly be able to improve overall security if security continues to be seen purely as a function of IT, and considered only in technical terms, without concern for specific risks faced by the organization as a whole in relation to the key performance indicators it has defined. The CISO role needs to have insight into overall risk at the board level in order to be able to effectively influence spending on innovative IT solutions that secure the business to support its vision, create value, and ensure that risk is managed in a holistic manner across the entire organization. Only those organizations that make CISOs truly accountable at the board level will be able to achieve a level of security that is commensurate with the real needs of that particular business.