Sergey Nvns - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Why is the CISO role necessary to enterprises?

A chief information security officer is becoming a necessity to organizations. Expert Mike O. Villegas explains why and how to communicate this need to other executives.

I am a CIO and I'm trying to stress to other C-levels within my organization the importance of hiring a CISO. What are some points I should include in my argument to convey the necessity of a CISO, and to what extent should I use FUD?

If the information security function is buried in the IT organization, its effectiveness is dubious at best. Tactical implementation of this function is typically rote, strictly technical and often an afterthought. This can be an inefficient and costly proposition, clearly pointing to security's need for better management and leadership. This is generally why organizations need CISOs.

The CISO is the senior-level executive responsible for establishing and maintaining proper levels of protection of corporate assets. The trend today is for the CISO to report either directly to the CIO or to an executive outside of the IT department.

The keys to making the CISO role successful are independence, empowerment and position. The CISO needs to be:

  • Independent of influence or pressure from those affected in the protection of corporate assets;
  • Empowered to deploy all proper levels of protection; and
  • Positioned within the organization to embed information security into the business culture.

The CISO should be technical but also have the acumen to provide both IT and business management incisive and realistic approaches to protection of corporate assets. The CISO has visibility to executive management that the information security group typically does not have except possibly during major incidents. The CISO ensures protection schemes converge technology and business objectives.

FUD (Fear, Uncertainty and Doubt) is clever and comical but has limited results. It should not be the motivator to get executive management's attention and support for information security and its need for a CISO. If you take 50 CEO's from the top Fortune 1000 companies, put them in a room, ask them candidly what keeps them awake at night, and what their most important goal is, they probably won't say to be the best in their industry, have the best technology among their peers, or have the best center of excellence for information security. Instead, they will say their ultimate goal is maximize shareholder wealth. The CISO can ensure information security supports that goal by deploying levels of protection processes that meet actual risk, compliance requirements and cost.

Overall, executive management will support the CISO as a key member of the executive team that understands technology, information security threats and solutions commensurate with the company's business objectives.

Ask the Expert:
Have questions about enterprise security?
Send them via email today. (All questions are anonymous.)

Next Steps

Check out a sample of a resume of a CISO and see how yours campares.

This was last published in March 2015

Dig Deeper on Information security program management