Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

The evolution of the CISO role and organizational readiness

Brian Engle | Oct. 29, 2014
If we look at the headlines surrounding recent data breaches, we might conclude that the role of the chief information security officer (CISO) has never been more critical to the success and sustained well-being of an organization. As a by-product of this statement, we also might surmise that the information security organization and where it reports into is also important. This is probably why every recent CISO event includes a conversation about where the CISO and information security program should reside within an organization. The challenge is that however healthy the debate, the question about where the CISO and his/her department should report generally ends with, 'it depends'. To shift from a debate to productive action, maybe the question is not where should the CISO report into [<a

Given the shortage of skilled information security practitioners, let's assume there is no silver bullet when it comes to the "right" reporting structure or personality type that will guarantee CISO success. However, based on numerous conversations, there is agreement that the information security program and its leader must be aligned to the corporate strategy. In order to achieve this, the CISO needs access to other C-level executives to ensure alignment/engagement; allowed to influence and affect employee behavior; authority to report progress and challenges; and receive corporate support should the inevitable 'security event' happen. And, per the NACD, cyber risk guidance needs to be managed as an enterprise risk, and a cross-functional team of key stakeholders should be assembled to develop an information security strategy.

While every organization will need to establish its own plan for addressing information security as an enterprise-risk, there are three activities that necessitate immediate action:

The role of the CISO will continue to evolve, and as recent events indicate there is still much to be done to increase the effectiveness of the CISO. It is critical to take the first steps to ensure that the role has the ability to engage at the appropriate level of the organization, and it has never been more important to build the leadership abilities of the CISO. Every organization should consider how they are addressing their cyber risk and what the role the CISO plays within the business.


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.