Rising security threats put the spotlight on the CISO

by Sohini Bagchi    Aug 12, 2013


With rising incidents of sophisticated threats, the chief information security officer’s (CISO’s) role is becoming more important today both in the private and public sectors. Experts believe an increased number of firms will start appointing CISOs in the coming months and those already having one will ensure that the CISO has a powerful and more strategic role to play in securing the enterprise.

CISOs in demand

Research reveals that CISO’s jobs are becoming the most sought-after in the tech sector, outpacing other IT jobs by a wide margin. According to a new study conducted by Wanted Analytics, a global IT hiring firm, there have been a sharp increase in the intake of CISOs and cyber security professionals across sectors and verticals. In its June report on hiring trends, the firm mentions, there has been a 24% year-over-year increase in the recruitment of chief security officers and IT security mentors in the first three months of this year, when compared to the same  period in 2012.

In some regions, such as in the US, the pay of some of the top CISOs is three times the national average. Semper Secure, a US-based research firm revealed that senior cybersecurity professionals report an average salary of $55.77 per hour. “But it’s more than just the money. CISOs say that they actively seek employers with strong reputations for integrity and those that are recognized as leaders in their field,” states Jim Duffey, secretary of technology at the office of the governor of Virginia in a statement.

The CISO transformation

It is evident that enduring security threats by hactivists and cybercriminals seeking to steal proprietary information has prompted businesses to look at CISOs from a different perspective. They are in a greater pressure to meet business objectives likes protecting business reputation and implementing innovative technologies to enable a secure business transaction.

Chris Christiansen, Program Vice President, Security Products and Services at IDC points out Innovations such as BYOD, cloud and social networking are compelling CISOs to spin their wheels on how to effectively secure their data and protect valuable intellectual property.  These trends will drive the transformation in CISOs, whose role will evolve to prevent the ever increasing complex security landscape. “It’s all about defining risks, establishing security and then striking a balance between the two,” says Christiansen. For example, CISOs in coordination with the C-suite will arrive at a BYOD security policy that strikes a balance between user freedom and protection of corporate assets.

At present CISOs are already in demand in some sectors such as BFSI, manufacturing and telecom. Going forward, there will be an increased intake from sectors such as media, entertainment, pharma and healthcare according to IDC.

“Security is the fundamental component in business today and adds value to the enterprise, mentions Felix Mohan, Senior VP and Global CISO, Airtel in a statement at the RSA security roundtable. The CISOs role will be even more powerful in the coming months as businesses are becoming more aware of the security standards while bringing innovation in its products, technologies or processes.

A greater role clarity

However, when it comes to giving power to the CSOs, experts believe in reality the role is still ambiguous and not too well defined. A recent study by PwC found more than 50% of CISOs report to the CIO or IT head of the organization. Many a times his role is not defined and he works mostly in tandem with the CIO ensuring IT systems run effectively. In reality, the CISO should be more concerned with security and risk management and formulating strategies on security.

Many also believe the CISO reporting structure remains ambiguous. On the debate as to whom the CISO is answerable, some believe he should report to the CIO or CFO and others say he should report only to the CEO. However, Vishal Salvi, CISO & SVP, HDFC Bank notes that the reporting structure is becoming more mature in recent times. “Reporting to the CEO or the board is the most matured model of reporting for CISOs,” he says, adding that his role is independent of technology and he reports into the risk function.

He believes that going forward CISOs should not only look at security and risk management, but also have insights into business practices to create an effective information security setup. “With more CISOs coming on board and at the same time, with the evolution of emerging technologies, the new age CIOs role will see continuous transformation and innovation in the coming months,” he says.

The PwC report also suggests, as more companies recruit CISOs they should bear in mind that an elevation of the role of the CISO – both in terms of handling responsibility and reporting structure will allow them to have more say in aligning security with the overall risk posture of the business, providing a holistic security implementation in the enterprise.