CISOs to break out of the technology ghetto

Analyst advises firms that security mangement should learn more about the business to prosper

The role of chief information security officer (CISO) is set to evolve from being technology-led to business-led says market analyst Gartner.

At its IT security summit in London last week, Gartner announced that by 2008, 65% of the Global 2000 companies will have a CISO or create the role of risk management officer (RMO). However the company stresses that position will have little to do with managing firewalls and other elements of day-to-day security. Instead, effective CISOs will have to be empowered to set security policy and assess risk and report directly to the finance officer or elsewhere outside of the IT department.

Hitherto, the role of CISO has been filled by people with technical skills but Gartner argues that in future the position needs to be filled by business professionals, who are able to weigh up acceptable risks. Furthermore, Gartner argues that by being distant from everyday security concerns, such individuals will have a more objective view of IT risk, without accommodating the pressures of the IT agenda. At the summit, Jay Heiser, Gartner vice president quipped that to security people, acceptable risk is an oxymoron.

“The days of security being handled by the ‘network person’ who did security in their spare time are over and increasingly we are seeing seasoned professionals with real business experience school qualifications stepping into the security space,’ comments  Paul Proctor, research vice president in Gartner’s Information Security Group.

The ideal candidate for this role, adds Proctor, will be someone “equally at ease with finance as firewalls. The RMO’s strength will lie in the ability to have whole conversations about security and risk management without discussing technology”.

In reality though, and as Gartner concedes, such a scenario is most likely in the largest of organisations with a turnover in excess of £500,000. Such companies will, as it is inevitable, be most able to deal with the extra layer of managerial hierarchy that such a role creates. Also it is not clear as to whom such a person would report: IT Directors, CFOs, COOs or even CEOs.

Read more on Hackers and cybercrime prevention