A CISO AND the cost of a data

The 2012 Cost of Data Breach Study conducted provides some valuable information about the average cost of an enterprise data breach. The study, released in March’13, also recognized that organizations with a chief information security officer (CISO) in place experienced reduced costs for data breaches, which is right on target from my experience.

I am right in suspecting that an organization without a CISO is more prone to a security fault.

The role of a CISO:

First and foremost, having a CISO on staff (regardless of reporting relationship) essentially gives the company an internal security "conscience." A CISO can be a subtle, internal driver for employees and management to consider information security in their big-picture business decisions and in individual, day-to-day actions. Designating a CISO also demonstrates the executive management team's commitment toward ensuring a more secure environment, both for the company and its customers. Having a CISO sends a message that security is important to the business and can't be ignored.

In terms of data breaches specifically, a CISO gives an organization a designated in-house expert to handle a breach incident and any associated investigations. If the CISO's role is filled by a quality candidate, he or she will likely create an incident response team and an effective communications structure, including legal, human resources, public relations and IT operations, in the event of a suspected breach. This all means that a data breach is likely to be discovered, analyzed and responded to more quickly, limiting or often preventing serious monetary damage to a company. Without a CISO, there's often no guarantee that an organization will even know how to respond, never mind do so successfully.

Regarding CISO responsibilities and the CISO's role relative to security governance, I have argued before in my earlier blogs (and still believe today) that an effective CISO should be actively involved with the company and executive decision making. Also, rather than maintaining a "security bubble,'' the CISO should serve as an evangelist and make it a point to raise awareness that security is everyone's job.

What steps can be taken to boost security with a CISO on board? If a company has not already designated and assigned a CISO, it is important to put a qualified person in the CISO role as soon as is practical. Every large enterprise should have a CISO in this day and age, and many SMBs should too, or at a minimum have a director-level IT manager whose primary responsibility is information security. An organization should assign measurable responsibilities to a new CISO and hold that person accountable for the company's security posture and profile. Providing adequate funds to properly staff the security team is also important; even great CISOs need talent around them to affect real change.

The executive management team can help empower the CISO to be more effective by actively supporting and backing him or her. To foster an understanding that the role is an extension of the senior executive team, the CISO should also have the opportunity to meet and brief executive staff, the board of directors and key customers.

(Read more:  Technology/Solution Guide for Single Sign-On)

Security as a priority

Preventing or limiting data breaches and ultimately maintaining a secure enterprise means filling the role of a CISO with a strong candidate capable of sustaining the corporate security conscience. One of the trickle-down benefits of a strong CISO is likely to be reduced data breach costs, but enterprises must remember that a CISO alone cannot make them secure. He or she must be able to build out a quality team and, perhaps even more importantly, every member of the organization needs to buy into the idea that security is important to the business. A strong CISO must provide the reminder that security is everyone's job.

With rising incidents of sophisticated threats, the chief information security officer’s (CISO’s) role is becoming more important today both in the private and public sectors. Experts believe an increased number of firms will start appointing CISOs in the coming months and those already having one will ensure that the CISO has a powerful and more strategic role to play in securing the enterprise.

CISOs in demand

Research reveals that CISO’s jobs are becoming the most sought-after in the tech sector, outpacing other IT jobs by a wide margin. According to a new study conducted, there has been a sharp increase in the intake of CISOs and cyber security professionals across sectors and verticals.

(Watch more : Attacks on Smart TV and Connected Smart Devices)

The CISO transformation

It is evident that enduring security threats by hactivists and cybercriminals seeking to steal proprietary information has prompted businesses to look at CISOs from a different perspective. They are in a greater pressure to meet business objectives likes protecting business reputation and implementing innovative technologies to enable a secure business transaction.

It has been noticed by various surveys that Innovations such as BYOD, cloud and social networking are compelling CISOs to spin their wheels on how to effectively secure their data and protect valuable intellectual property.  These trends will drive the transformation in CISOs, whose role will evolve to prevent the ever increasing complex security landscape. “It’s all about defining risks, establishing security and then striking a balance between the two,” says an expert. For example, CISOs in coordination with the C-suite will arrive at a BYOD security policy that strikes a balance between user freedom and protection of corporate assets.

At present CISOs are already in demand in some sectors such as BFSI, manufacturing and telecom. Going forward, there will be an increased intake from sectors such as media, entertainment, pharma, manufacturing and healthcare according to a survey.

(Read more:  Action List Before Adopting a Cloud Technology)

Greater role clarity

However, when it comes to giving power to the CISOs, experts believe in reality the role is still ambiguous and not too well defined. Many a times his role is not defined and he works mostly in tandem with the CIO ensuring IT systems run effectively. In reality, the CISO should be more concerned with security and risk management and formulating strategies on security.

Many also believe the CISO reporting structure remains ambiguous. On the debate as to whom the CISO is answerable, some believe he should report to the CIO or CFO and others say he should report only to the CEO.

(Different Sources of Survey and study Analysis)

More:  Join the community of 1400+ Chief Information Security Officers.  Click here

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform