By: Fran Howarth, Practice Leader, Bloor Research
Published: 30th April 2013
Copyright Bloor Research © 2013
Research conducted by Pricewaterhouse Coopers found that, in 2006, just 22% of more than 7,000 organisations surveyed had a CISO or equivalent function, but that proportion had grown to more than 80% by 2011. However, according to a recent report by CSO Magazine, anywhere between 40% and 60% of CISOs report to the CIO or IT executive function, with the variance according to industry. The job of a CIO is more related to ensuring the efficiency and availability of effective IT systems to ensure that those systems meet the needs of the business and ensure productivity for users. The CISO, however, is more concerned with security and risk management and, owing to the ever growing importance of these functions to an organisation, it makes more sense to elevate the role of the CISO so that they report to the CEO.
This elevation of the role of the CISO will allow them to have more say in aligning security with the overall risk posture of the business, providing an easier reporting structure and providing the authority and, potentially, the budget required for implementing a holistic security programme based on risk. The US federal government is currently discussing a bill that would demand that federal department leaders delegate to a senior agency officer who is designated as CISO who would report directly to the department heads, not the CIO. The aim is to ensure that they have the authority and resources necessary to impact decisions taken with regard to IT that could introduce vulnerabilities or that could scupper compliance efforts.
Given the current reporting structure in many organisations, not all business leaders are kept adequately appraised of the security situation in their organisations. According to recent research from Core Security, just one-third of CEOs receive security updates from their CISOs and only about one-quarter receive security communications on a "somewhat regular" basis. After some of the most publicised security breaches have been uncovered over the past couple of years, it has come to light that some of the organisations concerned did not have a senior enough executive in charge of the overall security programme. According to the CIO of Pacific Northwest National Laboratory in the US, which suffered a security breach in July 2011, internal investigations showed that the breach was directly related to failure on the part of executive management, including the board, to demand regular security updates. As a result, executives had failed to recognise cybersecurity as being a significant risk to the organisation and consequently the cybersecurity programme had been allowed to degrade significantly. He stated that the lesson learnt was to watch CISO lines of reporting and to ensure that the CISO has the necessary authority to do whatever is needed to protect the organisation's information resources.Â
Posted: 1st May 2013 | By Mark Troester :
Interesting article - it certainly makes sense to elevate the role of the CISO. But regardless of where the CISO reports, the CISO has to be intertwined with development - and hopefully they take the approach of helping IT vs. becoming an obstacle. They certainly have to ensure that applications and systems are secure, but they need to provide early guidance for developers vs. late in the development cycle punitive action. This is especially key given that applications are developed in quick, agile based cycles.
The messages above were all contributed by IT-Director.com readers. Whilst we take care to remove any posts deemed inappropriate, we can take no responsibility for these comments. If you would like a comment removed please contact our editorial team.
We automatically stop accepting comments 180 days after a post is published. If you would like to know more about this subject, please contact us and we'll try to help.
Published by: IT Analysis Communications Ltd.
T: +44 (0)190 888 0760 | F: +44 (0)190 888 0761