CISOs should Report to the Board

by Ashwani Mishra    Sep 29, 2011

A key question faced by many organizations in defining the role and responsibilities of the security organization, is where to align the most senior information security executive, referred to as the Chief Information Security Officer (CISO).

CISOs in organizations drive the information security strategy, policy, manage and deal with risk managers to ensure that they have a proper risk management team. They look at information security issues, high level program management of all information security initiatives and drive the security strategy forward within their enterprise.

“Reporting to the CEO or the board is the most matured model of reporting for CISOs,” said Vishal Salvi, CISO, HDFC Bank.

He added at HDFC, his role is independent of technology and currently he reports into the risk function.

When infosec reports to IT or the CIO, it is in essence, aligned with IT. They are tied to IT budgets, reporting constraints, other priorities, etc. With data becoming the most important asset for an enterprise, they need to impartially manage the security and risk mitigation of that data. This is a primary reason for security officers to believe that security should not be tied to the IT function and be independent.

Over the years, the risk function in many sectors, especially BFSI and telecom have gained immense importance. These CISOs have started reporting to the head of risk and the information security function comes under the risk department of the enterprise.

“CISOs should be occupying the seat along with the other CXOs in the company. It will not happen immediately, but in another couple of years, we will see such kind of reporting structure,” said Sunil Dhaka, CISO; ICICI Bank.

The above discussion was a part of the panel discussion on how CISOs can communicate complex security plans to largely non-technical board members at the third INTEROP, a three-day IT exhibition-cum-conference that started in Mumbai yesterday.

The event has around 50 speakers from across the globe spread across 30-plus sessions, discussing on varied topics of information technology.