Companies Need a CISO

by p b    Jun 29, 2011

29 June, 2011
By Priyanka Bhattacharya

CIOs say it is necessary to have a Chief Information Security Officer (CISO) to understand structured information security. After the spate of high profile security breaches at major global entities including Sony, RSA, Citigroup, Epsilon, and even the CIA, the need and responsibility of a Chief Information Security Officer (CISO) has become even more apparent.

“When your business is related to intellectual property, it becomes very important to have a CISO within the organisation. There is a renewed focus on a CISO after recent hacking events,” says Srikant Balan, Head Risk Management, Infosys BPO.

Besides having a CIO to manage IT infrastructure related issues, the top management in the companies now need to think of hiring a dedicated team to manage the data that flows in the company and guarantee its security at all points of time. This is relevant as businesses rely on the Internet now more than ever.

“It is critical to have a CISO because he or she can then focus on championing the security awareness drive within the company. In today’s critical business scenario, a CISO is the person who will be able to quantify the information security set up, and focus solely on creating strategies to mitigate threats and risks,” says Prashanth Cherukuri, CIO of 24/7 Customer, a BPO organisation with mission critical customer data within the company.

However it is crucial to the business that the roles of CIO and CISO are not overlapped because it can cause a responsibility conflict. Balan points out that a CISO needs to have an independent reporting structure answerable only to the CEO or the top management and should not be under any business pressure. Emphasising the same point Cherukuri says that only when a CISO is seen as a separate function from IT, can a true information security strategy be put in place.

During a recent global CISO summit held in Rome by the Information Security Forum (ISF), it was found that the role of a CISO is becoming more dynamic. The statement released by ISF says that the modern CISO not only has to have technology skills, pre-empt threat situations, implement compliance strategies but also should have insights into business practices to be able to create an effective information security setup. Says Adrian Davis, principal research analyst, Information Security Forum, “In recent years, the CISO has not always been aware of every activity within the business. The accessibility of cloud services and opportunity to any employee with a company credit card will change this and require the CISO to become much more engaged with the business.”

As hacking becomes common, the CISO not only has to look at risk management, but also has to have business understanding and communication skills. He needs counter intelligence strategies to be able to develop best practices in information security that employees can follow.