Gartner Highlights the Evolving Role of CISO in the New Security Order
Gartner Highlights the Evolving Role of CISO in the New Security Order
in link
Gartner Highlights the Evolving Role of CISO in the New Security Order |
By 2008, 65 percent of the Global 2000 will establish a chief information security office |
Egham, UK, September 14, 2005 - Gartner today highlighted the increasing need for companies to invest in the development of comprehensive information security programmes. Analysts predict that by 2008, 65 percent of the Global 2000 will operate a chief information security office for the centralised management of such programmes. Furthermore, as security becomes an increasingly essential element of a company's risk management strategy, Gartner foresees that a growing number of security experts will step into a risk management role. According to Paul Proctor, research vice president within Gartner's Information Security Group, "The bigger the organisation, the greater the level of external connectivity, and the more heavily IT dependent it is, the more complex the digital risk environment becomes." Mr Proctor said that large organisations thrive by having a developed understanding of risk, and by accepting it when it offers a business advantage. "Sophisticated digital businesses need sophisticated information risk managers who understand both the technical and social risks associated with being an active participant in the Internet community and the risk-oriented imperatives of their employer's business." Consequently, more and more organisations are appointing a Chief Information Security Officer (CISO) who has decreasing responsibility for day-to-day security operations, and a greater level of participation in strategic business decisions. The role of the CISO is particularly pertinent to many European companies which tend to be less centralised than their North American counterparts. As a result, the CISO organisation has a pivotal role to play in establishing a security policy framework that can be utilised across the wider business. Mr Proctor tracked the evolution of the CISO role over the past decade explaining that ten years ago, the typical information security tasks originated predominately from the operations group. "Identity management, host security, and perimeter security have changed in sophistication over the last decade, but they have not changed in significance. Today, there exists an arms-race of technology requiring organisations to make educated decisions regarding appropriate protection for their organisations." Over the same ten years, and increasingly over the last two to five years, the emphasis within the information security space has become more strategic, especially at the very largest corporate and government organisations. "The ability to determine what constitutes risk, and the requirement to report that risk to executive decision makers, can be a highly political activity requiring excellent written and oral communication skills with a good knowledge of business. Generally, these skills have been lacking in traditional technically-oriented information security specialists," Mr Proctor added. Gartner's research shows that increasingly today, information security is being given greater independence and reporting higher in the organization. Through either a dotted line report to a Chief Financial Officer (CFO) or Chief Risk Officer (CRO), or even as a direct report, the CISO has a reporting mechanism outside of the IT department. Especially at highly-regulated organisations, this is viewed as an important governance mechanism. "Finally senior management is recognising that the CISO is able to provide a more realistic picture of IT risk when not subjected to the pressures of accommodating the IT agenda," Mr Proctor said. "The days of security being handled by the 'network person' who did security in their spare time are over and increasingly we are seeing seasoned professionals with real business experience and business school qualifications stepping into the security space." At the same time, business leaders are coming to terms with the hard facts about security:
Gartner says that an effective CISO can be instrumental in moving an organisation to the next security stage and ultimately towards operations excellence. Information Security Model When organising their security processes, organisations need to know where information security and business continuity functions sit. Gartner counsels that there is no 'one size fits all' and advises businesses to take a broad view of information security, encompassing the technical and operational aspects and the strategic, planning and management side. Furthermore, there is increasing interest in integrating the information security and physical security departments, although Gartner's advice is to leave these groups as separate entities who work together as needed. Gartner recognises that many organisations in Europe have not yet created the role of the CISO. However, in all likelihood they will have, or at least should be considering, appointing a director or chief of security who will play an increasingly business-focused role. Gartner predicts that it will be a new breed of security expert who will be trusted to protect the organisation of the future, and in many companies, this person will be given the title of the Risk Management Officer (RMO). Mr Proctor describes the Risk Management Officer of tomorrow as a trusted and fully integrated member of the executive team who has excellent communication and project management skills and an ability to balance strategic, tactical, and technical requirements. "The role of the RMO will be to facilitate the cultural changes necessary to guide operations away from their strangle hold on security decisions while guiding reluctant executives toward their responsibility to own residual risk decisions," said Mr Proctor. "Equally at ease with finance as firewalls, the RMO's strength will lie in the ability to have whole conversations about security and risk management without discussing technology." Mr Proctor concluded by outlining six key recommendations for organisations intent on securing the future of their business:
|
No comments:
Post a Comment