Should your business have a Chief Information Security Officer?
The rise of the CISO
Data breaches won't go away. With threats from nation states, criminal organisations and groups such as Anonymous on the rise, we are seeing more CEOs recognising the need to hire a Chief Information Security Officer (CISO) to drive information security and risk strategy.
Recent high-profile breaches have highlighted the need for better information security awareness from the average employee to the board of directors. However, what do we need to know about the role of the CISO? We spoke to Bob West, Chief Trust Officer at CipherCloud, to find out his thoughts.
TechRadar Pro: In an enterprise, should security and IT sit under the same umbrella?
Bob West: Generally no, but it depends on the size of the organisation and the make-up of the technical staff. It may make sense for a 1,000-person company to have IT and security under the same group. But it makes sense for larger companies to separate out the roles and teams for scaling purposes.
At the end of the day, the responsibilities are fundamentally different – security protects the organisation's assets; it gives input on the technology decisions and the possible risks the enterprise faces. IT delivers technology solutions.
TRP: What is the role of a CISO?
BW: The CISO advises the executive team on how the organisation needs to meet the various security and privacy requirements to do business in their given industry and territories of operations. The CISO oversees a team that together has a 360 degree view of the risks facing the enterprise and puts in place the necessary security technologies and processes to minimise the risks to the organisation.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
TRP: How does the role of the CISO compare to a CIO?
BW: Above, we covered the role of the CISO. There are some overlapping areas with the CIO, who drives technology strategy. For example, when the technology group is making a buying decision, the security group needs to be pulled in to vet the technology from a security standpoint.
TRP: How important is the CISO role today?
BW: The role grows in importance with every security breach and security vulnerability identified. The threats have been much more aggressive and range from nation states to criminal organisations.
TRP: Should every organisation have a CISO?
BW: As I alluded to in my response to the first question, SMBs may not need a dedicated CISO. In those cases, it could make sense for the CIO to also wear the CISO hat and he/she may have a consultant to provide guidance on a part-time basis.
TRP: Was the lack of a CISO a major contributing factor to the infamous Target data breach?
BW: It's not easy to understand why an organisation of Target's size didn't employ a CISO at the time, but without one, it is very difficult to ensure information is protected consistently across the enterprise.
TRP: What can other organisations do to prevent a repeat of a similar breach?
BW: Make sure there is security leadership and the right staffing level and budget so information can be properly protected. Policies that can be clearly understood need to be written to guide the entire organisation. Everyone should understand what they need to do to protect information as part of their day-to-day role. Protecting information requires the right combination of people, process and technology.
TRP: What can enterprises do now to improve their cloud security whatever infrastructure they have?
BW: The biggest danger in the cloud is enterprises either think that cloud providers have security covered or that there are no solutions for cloud security. On the former point, major cloud providers have built up robust network and infrastructure security. For example, in the case of email, Google and Microsoft have implemented SSL encryption to protect data at the transport layer and that's very useful.
But protecting the data itself goes a step further and is a must-have for businesses in the current business climate. Some of these controls for cloud include application discovery, encryption, tokenisation as a masking alternative, data loss prevention to set and enforce policies, and monitoring to understand unusual activity.
Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website builders and web hosting when DHTML and frames were in vogue and started narrating about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium.