The importance of the CISO

There are only a few things guaranteed in life: death, taxes and data breaches. OK, I embellished that last one, but it sure seems that way does it?

But those organizations that don’t want to beg fate in life, and suffer a data breach, need to have security programs that closely align with executive leadership. Organizations that do so will always tend to have more secure organizations. Their CISOs and business executive teams will be in relative sync when it comes to security goals, risk tolerance, and what it takes to get to the right level of security. They are also more likely to run good regulatory compliance programs, and can more readily and effectively respond to breaches when they occur.

This is why I was disappointed to read in Luana Pascu’s post last week that CEOs are still not persuaded to boost investment in cybersecurity. In Pascu’s article, she wrote on the importance of CIOs in this task. However, I don’t think enterprises will ever get CIOs to be able to solve the enterprise cybersecurity challenge. Not on their own. CIOs aren’t rewarded for reducing risk; they are rewarded for keeping the bits and bytes flowing and digital transformation. There’s always going to be an inherent conflict here between the availability of data and technology and the level of security associated with that access.

For enterprises to have any chance at securing their enterprises they need to have executive leadership that cares about cybersecurity, the alignment on what level of security they’re comfortable with and what it takes to get there, and someone who has c-level authority – a CISO – who owns the information security program.

Years ago there was a study done by the IT Policy Compliance Group that found organizations that employ a CISO are more effective at security. Imagine that. Those organizations, of the 800 or so surveyed, had lower costs attributed to data loss, downtime and negative audit findings. While that survey is a decade old, it remains true, if not more so, today, especially as the speed of enterprise digitization increases.

There is quite a gap between how CEO’s see the maturity and capabilities of their security program and the actual maturity and capabilities of their security programs. Without a CISO in place, there’s no one focused on bridging the technical nature of security risks and how these risks translate into business risk. The CISO helps to develop the security strategy, put together the policies that enforce that strategy, and make sure the security program across the enterprise stays in place. For larger organizations, this is a full-time job, and not something that can be delegated to be a part-time responsibility of the CIO.

The CIO needs to focus on putting forth the overall enterprise IT strategy and how IT supports the business in its goals — the CISO works to support these goals and ensure they are executed securely. And by "execute" security we mean aligned with the risk tolerance of the organization.

And doing that means having constant, ongoing, and comprehensive conversations throughout the business about their technology systems and how they are being secured. Being successful requires having an executive in charge of security, having a strategy in place and continually updated, and then – and this is the kicker – being able to execute against that strategy.

Without having that in place, enterprises are just begging fate.