Why are Chief Information Security Officers Critical?

May 29, 2014         By: Jane Genova

In some corporations, the role of the Chief Information Security Officer (CISO) is becoming as important or even more important than the functions of the once-revered Chief Information Officer (CIO).

That’s because protecting the technology and the systems in place has become as much of a challenge as creating those systems. When security fails, the consequences can be severe.

The PWC Annual Security Survey for 2014 found that, just in terms of revenue, average losses due to security breaches around the world are up 18 percent versus the previous year.  Moreover the amount of each loss has been increasing rapidly. The $10+ million category of that has escalated 51 percent since 2011.

In the US, the iconic example of what can happen when security is breached is, of course, Target. In December 2013, hackers gained access to 40 million credit and debit cards. Come early May 2014, Target’s Chief Executive Officer (CEO) Gregg Steinhafel lost his job.

In late May of this year, Institutional Shareholder Services called for most of the Target Board of Directors members to be tossed out.  The stock remains near a 52-week low of about $56 per share, down from the high of $73.50. Right now, Target is in the process of revamping how the CISO function is structured.

Most CISOs do much more than manage risks to data. Here is a job description for the CISO of the Karachi Stock Exchange in Pakistan.

In essence, the job is primarily strategic. Depending on the organization, that strategy might cover:

 

-Creating the architecture for all cybersecurity, aligned with the organization’s unique tolerance for risk

-Establishing controls for all systems, ranging from financial to regulatory compliance

-Organizing response procedures for incidents, including disaster recovery

-Recruiting and training staff

-Ensuring privacy

 

According to HR Reported data, as of May 2014, the CISO’s median annual salary in the U.S. is $170,780.  With benefits such as stock options and bonuses total compensation could nearly double that.

PWC found that corporate leaders have made funding enhanced security activities a priority. In some organizations, the CISO has become a position that is often included in the Board of Directors. Increasingly, the head of information security reports not to the CIO but to the CEO.

However, the bad guys seem to continue to have the edge. It seems that no company is truly ever safe from security breaches, and it’s a constant fight to keep one step ahead.

A major shortcoming of security in corporate information security systems is that they operate like silos.  They are not part of an aggregate of a number of corporations which integrate their resources to anticipate, prevent and, when necessary, respond to attacks.

That atomistic approach aligns with 20th century competitive mindsets.  Corporations were fortresses of secrets. Pull down the drawbridge. Fill the moat with alligators.

However, that isolated stance means each part of a business must stand alone when hacked. Moreover, it’s more vulnerable to hackers who recognize the advantage of going after lone system vulnerabilities.

In addition, there are concerns, as with all technology, that the focus is on known risks as nefarious individuals become even more crafty.