Thursday, June 27, 2013
Top CISO’s would like their role to be more independent and empowered
I recently moderated a panel on the topic “Should the Role of the CISO be more independent” at the TOP 100 CISO award function in Mumbai, India.
The increasing awareness of the vulnerability of organizations to cyber-security risks such as corporate espionage and compromise of intellectual property resulting in service failures and reputational damage, has made visible the gaps in appropriate cyber-protection strategies
Unfortunately, these changes have not yet resulted in raising the visibility of the CISO function or enabling a higher degree of autonomy for the role. The limited exposure of the CISO’s role to the organization’s CEO significantly limits the ability of the CISO to articulate such risks in a contextual manner to business, consequently reducing the CEO’s visibility into cyber-security risks that could eventually impact profits & growth.
Over 60% of today’s CISOs still report to the CIO, and are considered a part of the IT function. In a recent show of hands by the Top 100 Indian CISOs during a panel event I moderated, over 90% voted for a more independent yet empowered structure. Most CISOs felt that the heightened accountability of the function should correspond with increased powers over budget allocations, technology adoption, recruitment decisions and operations.
In a poll which I ran amongst a few members of the ISF (Information Security Forum), the respondents emphatically voted for an independent & empowered CISO function which they felt would make the role more effective and strategic.
Involving the CISO in the strategic decision-making process will ensure that security is accorded due priority. In the near future, it is very likely that CISOs will play a strategic role due to the rising cost & impact of cybercrime, and the adoption of business & technical changes due to consumerisation and the cloud.