"Here at ADP, we have taken great lengths [to implement] cross-divisional and corporate oversight alignment through an executive security council, and treat our security and privacy program like other risk organizations, as components of the office of the CFO," Cloutier says.
The company views its security, operational risk and privacy programs as elements of its overall risk position, Cloutier says. "In our governance, it is the office of the CFO that is responsible for maintaining ADP's overall enterprise risk posture, and so that is where the CSO position reports to," he says.
At companies where security is the main focus of the business, the security executive role takes on a huge importance. For example, at Websense, a provider of Web, email and mobile security technology, Chief Security and Strategy Officer Jason Clark not only oversees IT strategy and reviews all IT projects, but also is deeply involved in business decisions, including investments, market strategy and partnerships.
"My leadership extends across four individual areas — and requires buy-in from the executive suite, IT, engineering, marketing and sales," Clark says. "I act as a voice of our customers during product development to provide a real-world perspective."
The security budget Clark controls is distributed between IT and marketing. "This process encourages internal collaboration across departments and frees me from administrative issues," he says. "This has also allowed me to build a unique team in the office of the CSO, which helps to further evangelize our processes. We are free to actually implement the many internal and external security ideas that we create, and more efficiently prioritize these with other organizational demands."
Websense's CIO handles the operational side of its IT security while Clark oversees the strategy and projects.
"It's a strong relationship that allows me to use my business and security expertise to advise executives on successful strategies to improve their IT infrastructure and more effectively secure our organization."
A New Look
In the coming months, many organizations will change the way they look at security and how it is managed within the enterprise, and the CISO role will evolve, Durbin says. CISOs must refocus security to take their organizations from crisis response and compliance mode to proactive risk management, he says.
This is already happening at some businesses. Durbin cites a bank that is splitting up the CISO role among multiple individuals, each responsible for different segments of the company. They work as a team that reports to the COO, ensuring C-level support.
"There's another organisation I know of where security now reports through to the chief strategy officer," Durbin says. "I like that because security then has alignment with strategy." At a third company, in the media industry, the CISO works on a consultative basis with the business, taking on security projects as needed. This enables to the CISO to showcase his expertise in security in addition to helping the company meet its business goals, he says.
Sign up for CIO Asia eNewsletters.