Lately in the press there have been repeated calls for the roles of CIO and Chief Information Security Officer (CISO) to be separated. The reasoning behind this is that corporate boards are relying on the CIO to inform them about the nature of IT risks and thereby placing the responsibility for addressing them squarely on the CIO’s shoulders. Research shows that boards have a general lack of understanding about IT risks, and significant communication roadblocks exist between the head of IT and the board. This often puts the CIO in an unfair position of having to provide the board with the reassurance that the risks are under control, when often they are not.
The results of a survey conducted with almost 5,000 global IT security professionals (released in July 2014) found that 40% of UK cyber security teams never speak with their executive team about cyber security, compared to 31% globally. Of those that did, nearly a quarter (22%) spoke just annually, with a further 15% biannually.
The world of managing risk from the CIO’s perspective (and increasingly the CISO’s) is clearly riddled with challenges.
The question then remains whether the CISO role should report to the CIO or the CEO. When Target hired its first CISO this year on the back of its embarrassing data breach at the end of 2013, experts said the CISO should have been appointed to report directly to the chief executive. They believe that security might not receive a high enough priority if the CISO is not equal to the CIO.
There is an interesting argument to be made that for the CISO to be effective, he or she should be able to present arguments for large IT security expenditures directly to the CEO and the Chief Financial Officer, who can then balance the request against the budget the CIO has been allocated for IT operations.
Find out how vsRisk™, the world’s leading risk assessment software, can help organisations improve the management of information security risk simply and cost-effectively.