Given the shortage of skilled information security practitioners, let's assume there is no silver bullet when it comes to the "right" reporting structure or personality type that will guarantee CISO success. However, based on numerous conversations, there is agreement that the information security program and its leader must be aligned to the corporate strategy. In order to achieve this, the CISO needs access to other C-level executives to ensure alignment/engagement; allowed to influence and affect employee behavior; authority to report progress and challenges; and receive corporate support should the inevitable 'security event' happen. And, per the NACD, cyber risk guidance needs to be managed as an enterprise risk, and a cross-functional team of key stakeholders should be assembled to develop an information security strategy.
While every organization will need to establish its own plan for addressing information security as an enterprise-risk, there are three activities that necessitate immediate action:
The role of the CISO will continue to evolve, and as recent events indicate there is still much to be done to increase the effectiveness of the CISO. It is critical to take the first steps to ensure that the role has the ability to engage at the appropriate level of the organization, and it has never been more important to build the leadership abilities of the CISO. Every organization should consider how they are addressing their cyber risk and what the role the CISO plays within the business.
Sign up for CIO Asia eNewsletters.