Is IT about to lose the I?

Office
(Image: Stockfresh)

Print

PrintPrint
Blogs

Read More:

13 October 2015 | 0

Paul HearnsThere has been a growing trend in enterprise recently that has seen the role of the chief information security officer (CISO) come into sharp focus for a number of reasons.

Firstly, it has long been said that the data is the new oil, and that with the increasing proliferation and rapid development of analytics tools, organisations are going to want to spend more on deriving intelligence from their data to direct future strategy. As such, whoever is in ultimate charge of the tools and the data, will be a very important person indeed who does not need to be diverted in focus with extraneous, or indeed, competing responsibilities.

“The suggestion now is that data has become so important a resource and potential source of value that it need its own leader to perform this function, potentially reporting directly to the CEO, separate from IT”

Associated with this is the risk of that data being lost, misused or damaged. One need only look at some of the recent headlines to see what a breach or damaging revelation of sensitive data can do to a CEO, organisation or even an industry.

That means that anyone looking after all data for an organisation, whether that be in electronic, paper or even lodged in the heads of workers, form needs to understand the value of that data to the business, working with business leaders within the organisation to ensure that maximum value and insight is extracted, but also to safeguard it from improper use which might expose the organisation to risk.

Interpretive role
This sounds like the role of the CIO, but increasingly the CIO has been more of a leader providing supports to the organisation in understanding how technology can support, improve or transform business functions and thus drive revenue. The suggestion now is that data has become so important a resource and potential source of value that it need its own leader to perform this function, potentially reporting directly to the CEO, separate from IT.

This is further fuelled by the fact that physical security is increasingly being aligned with other kinds of security, with many calling for enterprise security in general to be led by one individual, the CISO, who would be independent of IT.

According to a 2014 survey from Gartner, 38% of respondents indicated explicitly that the most senior person responsible for information security reports outside of the IT organisation.

“The primary reasons for establishing this reporting line outside of IT are to improve separation between execution and oversight, to increase the corporate profile of the information security function and to break the mindset among employees and stakeholders that ‘security is an IT problem,'” said Tom Scholtz, vice president, Gartner.

It has been argued that in the wake of many high profile security breaches, the CISO needs to be able to keep the CEO appraised of the latest security threats without the filter of the potentially competing interests of the CIO.

Disagreement
Naturally, most CIOs would disagree, but there seems to be a growing trend in this area.

Ryanair, for example, now has the post of Information Security Manager, which is outside the IT department.

Others point out that standards such as ISO 27001 include physical and IT security and therefore should be managed within a single function. Sid Deshpande, principal research analyst, Gartner, has said that in order to drive effective management of security, both IT and security professionals will need to engage in joint deciso9n making.

Writing for the CIO Forum online, Mastufa Ahmed said that the objective of what he terms unified security is to be able to examine risks that organisations face as a whole.

“This calls for a new thinking that brings together stakeholders to work closely. Ensuring employee safety, reducing external risks, etc may get a little difficult for information security professionals initially. The challenge of a converged platform begins with aligning physical security and IT stakeholders that traditionally have different mindsets. Dealing with systems running on disparate computing platforms, communication protocols, storage devices, and networks is not easy.”

Large organisations
Here in Europe, this may be further fuelled by legislation that will require every organisation to have a data protection officer of some sort. As observed by our own Leslie Faughnan, this does not have be an IT person, in that they do not require IT qualifications to hold the role, and so may result in the likes of company secretaries becoming the data protection person in addition to their normal duties. However, in larger organisations that may have been moving towards security as an independent role, and possibly information management too, bringing data protection compliance and information management in together in a single role may make yet more sense.

What emerges then is the combined importance of data, with the risk of its loss or misuses, the potential for security to take a back seat to revenue generating technologies, and the need to align physical security with information security, is pushing security in enterprise to become a separate responsibility with the only controversy being to whom this new role should report.

For larger organisations, it seems as if the answer would be directly to the CEO, but others seem comfortable with a CSO reporting to the CIO, and being available at board level to answer specifics.

An article on the Wall Street Journal by Clint Boulton on the topic, quotes Cisco CEO John Chambers who argues that corporate boards have become fearful of cybersecurity breaches, which is making them rely more on the CIO/CISO, making it critical for them to work together.

Most quoted statistics, which are generally from surveys of CIOs and CISOs at gatherings, conferences or within associations, indicate that more than half of all CISOs do report to the CIO, and as much as half of them do not have a problem with this. But many commentators see this as a conflict and argue that to drive real and effective security management, a CISO must have power outside of IT.

The issue is one that is evolving rapidly, but it seems that individual needs, sector concerns and perhaps market influences will determine who reports where and for what, but the trend of security, including information, becoming an independent role seems unlikely to go away.

Read More:



Leave a Reply

Back to Top ↑