Unlike the IT organisation, information security is unlikely to be given an entrepreneurial role within the business. Most likely, the information security team is viewed as being a tactical commodity: providing services at as low a cost as possible with few of the strong business partnerships that are essential for the IT group, or a perception of shareholder value.
The chief information security officer role (CISO) - or one of the many variants of the title that abound - can be a confused one: a senior title but often having to fight for a share of the IT budget and most likely subservient to the head of IT. The CVs of most CISOs are likely to show a career path rising up through the ranks of IT with a side-step into security at some point.
Information security remains a relatively low concern for the business as a whole. Business leaders are far more likely to cite strategic and operational risks as being of more importance than those relating to data security. The perception of information security is that it remains a subset of IT and a predominantly technical challenge.
While compliance frameworks and programmes abound, these tend to run parallel to the business. The instruction to the CISO is usually to cause little or no disruption to operations. In other words: do what you have to do but don't interfere with the business of doing business.
And the business has good cause to be dubious about the value that the CISO brings. Data loss incidents continue to occur with frequency and information security organisations are looking impotent as a result.
Even a cursory glance at the statistics will show that the overwhelming majority of data loss incidents have little to do with hackers and unauthorised network intrusions: the very things that the CISO is supposed to be dealing with. The DataLossDB - an excellent resource detailing all publicly notified data loss incidents - reveals that more than 75% are more the result of human error, lack of awareness, lack of training, fraud, or outright carelessness.
It is also the case that much of the data critical to the business is no longer within the bounds of the corporate network - it is in "the cloud", at third party vendors, on the laptops of contractors. It is challenge enough just keeping track of where the data is.
And while there is little doubt that data loss can be expensive and a nuisance, the risk of it happening is often regarded as being far-fetched. The "it won't happen to us" attitude still prevails.
Do you need a CISO?
For as long as information security continues to be treated as an entity separate from the business, the CISO will continue to play the role of "tick-in-the-box for the organisation" security leader. It can readily be argued that the position isn't really needed at all. There is little the CISO currently does in most organisations that cannot be absorbed into IT.
For the CISO to achieve boardroom support, the role must become focused on risk rather than security, and better able to communicate value: better metrics, better business cases, and better able to form partnerships with the key players in the organisation. Only then will the CISO be allowed the same entrepreneurial role that is afforded to many chief information officers and where information security governance is baked into overall corporate governance.
In short, it is about time the CISO role matured and began to show some return.
This was first published in July 2010