Who is truly accountable for security? It’s not a hard question if you correlate the news of security breaches and LinkedIn profile updates. Consider the title CISO: it’s advertised as Chief Information Security Officer, but in the case of a public breach it’s more like Career Is So Over.
Of course there are many exceptions; the CISO who has come out of a public breach and is “battle hardened” can in some cases be a more attractive proposition for a prospective employer. The flip side, however, is that there are many examples of where the person that asked the business for more money for better protection became the fall-guy when there was no better protection!
It doesn’t seem fair, but there are early signs that this culture is beginning to change. The CISO, and associated security teams, are now no longer seen as owning the risk, with the business now actively making the broader decisions on risk. Security staff are now becoming more consultative, with the Business Risk Owner, or Senior Information Risk Owner, actually being outside of security and invariably considerably more senior than the CISO. We have seen some sectors within specific countries actually formally migrate the “operational risk” from the techies and on to specific business units.
This, of course, does not mean that the HR manager spends his morning debating whether he can deploy a network data-loss-prevention product, but he does become accountable for any deviation on the recommendations of the security department.
I think this move is an important one. Only the owner of a given information asset can truly articulate its value to the business, and understanding the value of an asset becomes important when determining what to do in managing the risk. Of course, other factors will need to be considered, but as security now becomes an integral part of the business, like any other expenditure it must demonstrate a return on investment.
Let’s not greet the CISO with complete accountability for everything in, and out, of their control. A formal governance model with nominated owners of information assets should be implemented, as well an overall risk owner for the business. By adopting such a model we can move away from an environment where a negative front page story results in a recruitment merry-go-round.
Raj Samani, CTO EMEA, McAfee