Sergey Nvns - Fotolia
I am a CIO and I'm trying to stress to other C-levels within my organization the importance of hiring a CISO. What are some points I should include in my argument to convey the necessity of a CISO, and to what extent should I use FUD?
If the information security function is buried in the IT organization, its effectiveness is dubious at best. Tactical implementation of this function is typically rote, strictly technical and often an afterthought. This can be an inefficient and costly proposition, clearly pointing to security's need for better management and leadership. This is generally why organizations need CISOs.
The CISO is the senior-level executive responsible for establishing and maintaining proper levels of protection of corporate assets. The trend today is for the CISO to report either directly to the CIO or to an executive outside of the IT department.
The keys to making the CISO role successful are independence, empowerment and position. The CISO needs to be:
- Independent of influence or pressure from those affected in the protection of corporate assets;
- Empowered to deploy all proper levels of protection; and
- Positioned within the organization to embed information security into the business culture.
The CISO should be technical but also have the acumen to provide both IT and business management incisive and realistic approaches to protection of corporate assets. The CISO has visibility to executive management that the information security group typically does not have except possibly during major incidents. The CISO ensures protection schemes converge technology and business objectives.
FUD (Fear, Uncertainty and Doubt) is clever and comical but has limited results. It should not be the motivator to get executive management's attention and support for information security and its need for a CISO. If you take 50 CEO's from the top Fortune 1000 companies, put them in a room, ask them candidly what keeps them awake at night, and what their most important goal is, they probably won't say to be the best in their industry, have the best technology among their peers, or have the best center of excellence for information security. Instead, they will say their ultimate goal is maximize shareholder wealth. The CISO can ensure information security supports that goal by deploying levels of protection processes that meet actual risk, compliance requirements and cost.
Overall, executive management will support the CISO as a key member of the executive team that understands technology, information security threats and solutions commensurate with the company's business objectives.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Check out a sample of a resume of a CISO and see how yours campares.
Dig Deeper on Information security program management
Related Q&A from Mike O. Villegas
As ransomware continues to surge, companies are faced with decisions to report the attacks, pay the ransom or both. Experts weigh in on the options ... Continue Reading
A social media security policy is necessary for most enterprises today. Expert Mike O. Villegas discusses what should be included in social media ... Continue Reading
A cybersecurity training center could help security professionals continue their education, but are the benefits worth the investment for enterprises... Continue Reading