Search
Advertisement

Business

Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Threat Intelligence / Preparedness

Where the CIO Ends and the CISO Begins

By Courtney Macavinta

When a hacker breaks into a company's main customer database, or the CEO wants to explore the security ramifications of a new Web service, the CIO has traditionally been the first executive called to the front line. But in many organizations, that is changing. There is a new leader who is charged with protecting the IT fort: the chief information security officer (CISO).

By 2008, 75% of Global 2000 organizations will appoint a CISO for the centralized development of information security policies, standards, and guidelines, according to a January Gartner Research report: The Evolving Role of the Chief Information Security Officer.

Still a relatively new role, CISOs started coming on the scene in the past six years to deal with the mounting IT security issues many enterprises face: cyber-crime, insider theft or sabotage, network intruders, viruses, phishing, and worms.

The role of information security has become even more important under a series of new laws that pertain to data breaches, record archiving, and consumer privacy protections. For example, organizations have to comply with California Senate Bill 1386, which requires any company that conducts business or has customers in the state to notify consumers if their electronic records are compromised. Under the Health Insurance Portability Accountability Act (HIPAA), health care providers and insurance companies have to establish strong safeguards to protect the privacy and integrity of patients' records.

IT-reliant organizations are dealing with more security-related concerns than ever before. This is why many organizations have created a CISO position. Reacting to security breaches is still mainly under the purview of the CIO. At the heart of the CISO role, however, is overseeing risk assessment and management. In other words, it's the CISO's job to set security policies and analyze where business-driven IT projects and security concerns collide. The goal is to not only help the enterprise get the best ROI when it comes to IT, but the best return on security (ROS), too.  

"The CISO is becoming a critical function for an organization," says Eric Ouellet, vice president of research, Gartner Security Practice. "It all boils down to some of the risk management issues that have come up over that past few years. With the CISO office, you have direct accounting and visibility into the security issues that face an organization."

But where does the job of the CISO begin and the CIO's job end? Ouellet says the CISO should work with the CIO to navigate the complicated IT security landscape. By breaking off many of the thorny responsibilities for security planning, the CIO should be able to concentrate on more business-oriented IT goals while managing daily operations more efficiently. The CISO ideally should take on some of a CIO's increasing security responsibilities for the benefit of the entire organization, including:

  • Managing risk  The main responsibility of the CISO, according to Gartner's report, is to define for senior management any risks the enterprise will face as a result of IT deployments. "The CISO is taking a look not at the day-to-day but at the strategic, long-term view of IT assets and how to manage security risks," Ouellet says. "As a result of regulations, they also have to look at where data within the organization lives and come up with requirements to mitigate risks and comply with the laws."

It's the CISO's job to establish a process for assessing and managing risks involved with all IT-related proposals and existing assets. For example, a CISO might develop a continuous risk assessment process to monitor, measure, and report security posture to management, Ouellet says, along with creating a risk acceptance and sign-off process.

  • Setting standards  These days, security must be ingrained in every aspect of an enterprise, Gartner concludes, from the culture to employee training to project planning to data collection and application development. One of the key roles a CISO can play is in creating a security policy framework for the entire organization. To support the CIO, a CISO is responsible for establishing "an information security program and a management infrastructure to ensure that technology risks are identified and managed according to the risk culture of the enterprise," states the Gartner report.

By setting standards and guidelines, a CISO can help build greater levels of accountability, transparency and measurability into security controls for IT. The CISO is also tasked with making sure that the information security policies of the enterprise keep pace with new technology integration.

  • Complying with regulations   Although the CIO is often held accountable by new data security regulations, the CISO can help shoulder some of the burden. For instance, the CISO role can double as a governance mechanism, Ouellet says. "The CISO comes into play a lot more here," he says. "Regulatory compliance used to be more of a technical concern, but now it's more about corporate governance. The CISO can come up with global policies for risk management within the IT structure that also address regulations."
  • Evaluating business strategies  CISOs, like CIOs, are no longer focused just on technology. CISOs also are involved in strategic business decisions. They have to evaluate the security implications of new lines of business and recommend solutions -- or advise against certain endeavors a company might be considering. "They help bring up security right from the get-go," Ouellet says. "Some businesses you can't get into because you can't handle the security risks. CISOs have to look at how risk mitigation strategies fit the business requirements."

At the end of the day, a CISO is another line of defense for CIOs who have to deal with mounting security risks and responsibilities, Ouellet says: "They are partners in looking at the same IT issues but from different perspectives -- the CISO will take care of the risk portion of IT."

Courtney Macavinta is a Silicon Valley-based business and technology writer. Her articles have appeared in CNET News, Business 2.0, Red Herring, Wired News, and The Washington Post.

CIO Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Spam and Viruses
Preparedness
Strategies
Related Content

Features

View More


Metrics

View More

Fast Fact

"The CISO is becoming a critical function for an organization."

--Eric Ouellet, vice president of research, Gartner Security Practice
Sponsor Tools

Resources

White Papers

View More


Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


Preparing for a Disaster
Playtime: 8 min 07 sec



Download | Subscribe

Copyright © 2009 Studio One Networks. All rights reserved.

© MMIX, CBS Broadcasting Inc. All Rights Reserved.