Due to a string of high-profile data breaches -- and embarrassing incidents like the National Security Agency leaks committed by Edward Snowden -- more companies are debating the business necessity of having good security practices in place. While vendors emphasize the importance of new technology in mitigating security incidents, a number of organizations seem to be overlooking an obvious hole: the lack of a dedicated security pro in the CISO role.
I'm amazed to hear that large organizations still don't have a CISO. When it comes down to it, I don't really know too many businesses that can operate without [IT], and security is just a fundamental component of everything that companies have to do now.
Chris Ray, CISO, Epsilon
The role of chief information security officer has been around for nearly two decades, since Citigroup recruited industry veteran Stephen Katz to fill the position in 1995. Still, despite the increasing prominence of both the position and information security as whole, some large organizations still forgo hiring a dedicated CISO.
As the fallout from the epic Target breach continues to rattle the security industry, surprisingly -- or maybe not -- the Fortune 500 retailer lacked a dedicated CISO. The information security program at Target was split among several executives, who reported to chief information officer Beth Jacob. Despite security warnings, the Minneapolis-based retailer continued to operate its business as usual during the 2013 holiday shopping period. Over the course of nearly three weeks, attackers stole approximately 40 million credit and debit card numbers, as well as personal data of as many as 70 million customers, including phone numbers and email addresses.
Jacob resigned in early March. In a letter obtained by The New York Times, Target CEO Gregg Steinhafel wrote that the organization is creating the CISO role for the first time and centralizing its information security program. The retailer is also looking for a chief compliance officer, to separate assurance risk and compliance, which previously fell under a single vice president. The search for candidates outside the company is set to commence in the coming months.
"I'm amazed to hear that large organizations still don't have a CISO," said Chris Ray, CISO at Irving, Texas-based data services firm Epsilon, a subsidiary of Alliance Data. "When it comes down to it, I don't really know too many businesses that can operate without information technology, and security is just a fundamental component of everything that companies have to do now. There's a lot that goes into it other than having just a technical background, so you have to have someone who is specialized in that area."
He should know. Ray was hired in 2011 after Epsilon detected an unauthorized entry into its email system that handles customer email for a number of major banks as well as other business customers (including Target). The company said at the time that around 2% of its client base was affected, with various reports pegging the potential costs of the breach in the hundreds of millions.
Though it may seem as if Target is trying to put a Band-Aid over a gaping wound after the fact, there is some evidence that having a CISO can indeed play a role in reducing data breach costs. The 2013 Cost of Data Breach Study, issued by the Ponemon Institute last June, found that among the 277 companies surveyed, those that had suffered a data breach with a CISO in place experienced reduced costs to the tune of $8 per record. That number was notably higher in the U.S., where organizations without a CISO suffered losses of $23 more per record stolen.
"If you have a CISO who has set up a response plan and who has the instrumentation to understand the situational awareness of the network, and a group of people that are trained to be able to respond appropriately, that's a very efficient system," said Rick Doten, CISO for Bethesda, Md.-based managed mobility services firm Digital Management Inc. "If not, you're reacting. Reacting is acting emotionally without a plan, and that is unstructured and very expensive to do. If you don't have that structure, you have to hire someone very expensive to come in and fix it for you."
CISO no longer optional
David Sherry, CISO for Brown University, was shocked to hear a company the size of Target was operating without a CISO, especially as information security has gained more attention in recent years thanks to similar breaches.
The role of CISO has become vital to the operation of large organizations, regardless of industry, said Sherry, because security has become too important to be just one task for a CIO or other senior managers, as it apparently was at Target.
"Users know that there's someone overlooking things holistically that they can turn to," he said. "Someone who brings credibility that thinks about security first, instead of someone that just considers it part of their job and they only do it 10% of the time. So I think it makes a huge difference."
Until recently, information security programs may simply not have been deemed important enough to warrant hiring a dedicated leader. Derrick Wood, group CIO for U.K.-based Wood Group, said that the global oil and energy company had only recently decided to create and fill the CISO role. That decision came about only after the company had received a number of recommendations from KPMG, the consulting firm brought in to assess the Wood Group's information security practices, about 18 months ago. Before information security issues began making appearances in major media organizations in recent years, Wood said many organizations thought more about physical security than that of IT systems.
The CISO position is now mandatory for enterprises, especially those as large as Target, said Ray. Modern-day CISOs should be viewed as business executives who are focused on managing business risk, instead of "techy propeller heads" or other labels from the past. For a CISO to be effective, he or she must be capable of understanding 500-page vulnerability reports from a technical perspective, Ray said, and then translate the relevant tech details into language that other executives can understand.
Does chain of command matter?
Simply filling the CISO role won't be enough to have an impact on an organization's security posture, according to Digital Management's Doten. Enterprises should avoid having a CISO report up through a CIO because the two positions often have different goals and the chain of command can influence the effectiveness of the program.
A CISO's job is not to protect IT, it's to protect the business from the IT infrastructure.
Rick Doten, CISO, Digital Management Inc.
"The CIO is about maintaining an infrastructure that is available and servicing customers internally who could access things," said Doten. "The security guy really needs to understand the business risk, because a CISO's job is not to protect IT, it's to protect the business from the IT infrastructure."
Ray faced similar concerns when he joined Epsilon soon after the company's 2011 breach. He avoided issues, he said, by being upfront about the situation with the CEO and CIO. He also established a firm agreement among the relevant parties that he would have a clear line of communication to the CEO.
"I think there has to be open communication, so that if I need to say, ‘Your baby is ugly,' I can do that," he said. "We'll work on fixing issues and work together on a plan, but IT can't be where the message gets buried, or even held just because [security] reports through there."
Sherry said the security industry has been debating where a CISO fits into reporting hierarchies for as long as he can remember, and such conversations are likely to continue for the foreseeable future. He reports directly to the CIO at Brown, but noted that colleagues at other organizations have had success reporting to a variety of figures, including CIOs, chief operating officers and even chief risk officers.
The chain of command shouldn't matter, according to Sherry, as long as the CISO is empowered to communicate risks to decisions makers and take action independently when necessary.
"If you report to the CIO and they don't take security seriously, what good is it? If you report to the board of directors, but they're more concerned about making money and cutting the security budget, what good is that?" said Sherry. "I think the important thing is having the organization recognize that there is a person responsible for security and that they back that person."
Brandan Blevins is the news writer for TechTarget's Security Media Group. Follow him on Twitter @BrandanBlevins.
Send comments on this article to firstname.lastname@example.org.