The changing role of the CISO
From technical officers to business strategy leaders
Published 14:18, 03 July 12
IBM's Centre for Applied Insights conducted its first study of senior security executives, and interviewed more than 130 security leaders globally. The study’s core concentration was on the role of CISOs and many interesting findings were laid out.
Over the past several years, security has gained a lot of importance. Organisations now pay more attention to security than they did a couple of years ago. To make an organisation secure, several factors must be in place. They include efficient collaboration between the security department and management, budget, creation of security awareness within the organisation, technology and many more. Among the other factors, the role of the Chief Information Security Officer (CISO) of an organisation is important in deciding a complete security solution. With the increasing demand and expansion of the global role of security, the role of a modern CISO is evolving from simply being a technical officer to a leader in business strategy.
IBM's Centre for Applied Insights conducted its first study of senior security executives, and interviewed more than 130 security leaders globally. The study's core concentration was on the role of CISOs and many interesting findings were laid out.
Changing role of CISO and Security in organisations
According to the IBM study, security leaders today are under intense pressure, faced with the protection of some of their firm's most valuable assets - customer data, intellectual property and brands.
Nearly two-thirds of the CISOs who were a part of the study said that their senior executives are paying more attention to security today than they were two years ago. This is due to a series of high-profile hacking and data breaches that convinced them of the key role that security plays in a modern enterprise. Rather than just reacting and responding to security incidents, a CISO's role is shifting more towards proactive-intelligent and holistic risk management-from fire-fighting to anticipating and mitigating fires before they start.
Although this change in role of a CISO is a positive sign that some of the organisations are already witnessing, there are a large number of organisations yet to implement some of the best security practices in Asia/Pacific region. Many organisations still continue to actively deploy security policies; however, a lot of organisations do not put a high enough priority. Some of our recent IDC Asia/Pacific studies show that in organisations in Asia/Pacific, CISO's still lack the understanding of the significance of collaborating with management in devising business-strategy-driven security solutions.
Further, the role of CISOs has been changing with a growing demand for a new skill set. The responsibility of a CISO is not only to drive a strategy of security and ensure its proper implantation, but also drive a culture of security with the company at all levels. IDC sees this is an encouraging sign as IT security is a growing part of organisation's risk management strategy.
Consumerisation and BYOD
In this assessment conducted by IBM, another interesting finding was that more than half of the respondents cited mobile security as a primary technological concern over the next two years.
There has been a major increase in the adoption of Bring-Your-Own-Device (BYOD) across several organisations. IDC expects that nearly 40% of the employees in Asia/Pacific will be mobile workers by 2015. We believe this trend will accelerate as more organisations are now inclined towards the BYOD trend keeping in view an employee's productivity, quick turnaround time, customer satisfaction etc. It is not surprising that mobile security will be a cause of concern for most of the CISOs in the coming years. Organisations need to wake up to this trend that will hit them in the near future as even now, as data is scattered across within and without the walls of organisations in different forms.
With the advent of any new trend and its adoption in organisations, such as BYOD, there is a growing need for organisations to embrace some of the security practices to ensure there are no disruptions in business operations. IDC thinks that businesses will benefit from adopting some basic steps to ensure that the organisation's mobile security features are well deployed and maintained. These include the following:
- Using Risk Assessments to enable business decisions
- Having a mobile-security policy
- Educating its employees on security policies
- Implementing remote-device management systems
Overall the role of the CISO and IT security will need to evolve more. The changing security environment, where more and more businesses are demanding flexibility, is increasingly making the IT environment complex and diverse. Trends such as BYOD are driving IT infrastructure towards optimisation and renewed flexibility. Organisations need to be more agile in dealing with change and understand the security implications that come with this agility.
Posted by Naveen Hegde