Following a tumultuous phase of cybersecurity breaches against international governments and businesses from latter part of 2013 to present, a number of global organisations have taken the measure to invest in appointing a dedicated Chief Information Security Officer (CISO). But is it necessary to have a CISO? Can't a CIO double up as a CISO?
In an exclusive interview CIO Asia, Sean Valcamp, Avnet's CISO who was appointed last December, explained the need for a CISO and the role he plays in his organisation.
Valcamp holds more than 25 years of IT experience in the areas of IT security, technology strategy, enterprise architecture and solutions development. He joined Avnet 16 years ago and has helped strengthen the company's IT security capabilities, including educating employees on security, establishing a Global Information Security Policy and building a security operations team that protects Avnet from security threats.
Security has always been part of a CIO's responsibility. So why is there now an increasing need for organisations to have CISOs on top of having CIOs?
CIOs have and will continue to have responsibility for security. With the rise in security threats and the importance of data though, many companies are finding that they need someone who is solely focused on security. CISOs are able to dedicate all of their time and effort to protecting a company's employees, IT systems, and data against a broad range of threats.
At Avnet, there is a close connection between the two roles. I report to our CIO, and we collaborate closely to protect our information assets.
What are some of your/a CISO's top responsibilities?
In general, the main responsibility of a CISO is to establish and implement a security framework and strategy to manage cybersecurity risk for an organisation and its employees. A CISO creates security awareness and communicates key directives, policy, and success measurements to a variety of audiences, including the Board of Directors, executive teams, employees and business partners. Also, a CISO must keep the company's security practice moving forward to protect against ever-evolving threats.
As Avnet's CISO, I've developed an eight-point security framework that includes:
- Security Intelligence
- Data Security
- Enterprise Identity Management
- Audit and Compliance
- Secure Development
- Secure Infrastructure
- Security Awareness
- Security Operations
In addition to IT security, I have responsibility for Avnet's enterprise architecture and strategic planning for our IT team.
In general, who should the CISO report to and why?
In my opinion, a CISO should drive a strategy where every employee is responsible for keeping the company safe. Who the CISO reports to is not as important as the critical message that everyone plays a role in securing the company by working together.
What are some of the difficulties commonly faced by CISOs?
I think some CISOs can encounter challenges if they approach the role by creating an organisation focused on only setting and enforcing rules. A CISO should take a collaborative approach, enabling an organisation by always measuring risks and providing context to policy and standards.
Sign up for CIO Asia eNewsletters.