It disappoints me to see the huge focus on technology Not a criticism of the site or the people posting but a reflection of the, misguided, view that information is "owned" by technology because they are the people providing the mechanisms to process information. It's a bit like saying BMW are responsible if you have an accident driving a car that you bought from them!
I would like to see a move from technology solutions to information risk solutions which embrace all aspects of risks to the way we handle and mange information. Of course technology pays a huge part but looking at the incidents that I see in day to day operations most are not caused by technology failures (although IT gets the blame) but by people failures or process failures.
(Read more: How Should a CISO choose the right Anti-Malware Technology?)
The CISO role should be a business based role reflecting the needs to support the "business" in managing the numerous challenges it faces in meeting regulatory and legal changes (E.g. Privacy - which is not a technology problem but a business issue).
My view is that there should be a change in mindset which makes the CISO role into a CI RISK O (CIRO) role with an holistic view of all the different types of risk to information faced by the business. That role is not in IT!
More: Want to be an author? Nominations open for co-authors of CISO Handbook
Comments