It's past time for all major companies certainly in the Fortune 500, but the advice carries on down into even medium-sized organizations to carve out a C-level role focusing solely on security.
Information security isn't just a luxury in this day and age. It's a necessity. For the longest time (and even today in some companies), security was (and is) within the purview of the CIO, a bullet point on a long list of pre-existing responsibilities and job requirements to look after.
Ignore security long enough, though, or neglect to pay it the attention it deserves, and the bad guys will pay attention to it for you: Witness what happened at Target and, more recently, at Home Depot. These incidents were very serious security breaches that let attackers gain access to sensitive payment data over a long period of time a few weeks in the case of Target and a few months in the case of Home Depot. Consider that. Bad guys infiltrated the most sensitive of systems at a company for months, and only external entities (the banks) convinced Home Depot to look at their systems with enough of a fine-toothed comb to actually discover the breach and begin remedying it.
That these breaches went undiscovered for so long, and that the Home Depot penetration in particular was only discovered and acted upon after external companies went to the victim organization to say, "Hey, something's wrong," is a symptom of a clear and present danger to IT: Inattention to security.
CIOs have so many projects, problems, and plans on their plate that they let slide their responsibilities to bolster the security profile of their systems and to monitor the integrity of the networks and machines they already have in place. Moreover, a CIO may not have the technical expertise or continuing education required to stay on top of security threats and the evolving nature of the security landscape.
No matter who the CISO reports to whether it's the CIO or, even better, the COO he or she should be charged solely with managing the current security profile and ensuring that the hardening of networks and systems continues at an efficient but effective pace. The CIO could be responsible for the business and operations side of IT, while the CISO could look after the organization's six o'clock.
CISO Role Equal Parts Planning, Approving, Communicating
In a perfect world, every company would have a CISO, and he or she would be tasked with the following objectives and replete with the following abilities.
Breach response and reaction plan responsibilities. As discussed, the Home Depot breach might still be active now if it weren't for third-party intervention. Since the breach's discovery, it took over a week for Home Depot to even officially admit it had been penetrated, and only in the second week after the breach has any customer-facing plan for mitigation been put into effect. You have to wonder what the committees inside the third-largest retailer in the United States were doing all this time, and how effective the consulting companies that were called in to help remedy the breach were in cutting through any red tape.
Sign up for CIO Asia eNewsletters.