The CISO has come to be in the last one decade a position which can not be wished away. However, but for mature business houses, it finds itself being tossed about quite a lot - sometimes under the CIO, and other times under heads of Operations, Finance, HR, or some other corporate function. Rarely does it have access to the board and even less the board room. It's as if most people think he is required but most can not decide where he belongs.
This is connected to the evolution of the CISO function from IT Security to Information Security. While definitely it has come out or at least on the way of coming out of the IT function, the CISO has quite not been able to establish the domain spread it requires to fulfill the Information Security responsibility for an enterprise. From being a transactional security organ which ensures security of IT transactions, CISO has gathered steam to encompass the operational risk management, the security governance and audit framework as also the disaster recovery apparatus.
However, there are several other complementary and competing security and related domains which exist in penny pockets in other parts of the organisation which dilute the CISO and often are beyond his control, some times at cross purpose. These are Physical Security, Enterprise Risk, Business Continuity, Privacy, Fraud, Investigation and their ilk who masquerade with other names.
Organisations would eventually see the business benefit of integrating all these complementary functions and consolidate them under one head under some enterprise function or create a new function for it; if only to stop them from their never ending turf war and one-up-man ship . But it is unlikely to bear a designation with a S in it standing for Security. It's simply not sexy enough, especially when there are so many more hep sounding names in the stable. So CSO may never happen, as it also has not happened till date.
Physical security has become interesting and technical. There is increased room for convergence between PS and IS. But rarely, if ever, there has been an organisation where the two are under one head. And whenever they are or when they would be together under umbrella, it will not bear the name of CSO but something rather fancy and unrecognisable.
This is not necessarily a bad thing. It will bring security and all the complementary functions into the middle of business relevance, hopefully with the head of this heterogeneous entiry being from a business background but with a strong understanding of information security, and having a place in the boardroom - if not the board.
This is connected to the evolution of the CISO function from IT Security to Information Security. While definitely it has come out or at least on the way of coming out of the IT function, the CISO has quite not been able to establish the domain spread it requires to fulfill the Information Security responsibility for an enterprise. From being a transactional security organ which ensures security of IT transactions, CISO has gathered steam to encompass the operational risk management, the security governance and audit framework as also the disaster recovery apparatus.
However, there are several other complementary and competing security and related domains which exist in penny pockets in other parts of the organisation which dilute the CISO and often are beyond his control, some times at cross purpose. These are Physical Security, Enterprise Risk, Business Continuity, Privacy, Fraud, Investigation and their ilk who masquerade with other names.
Organisations would eventually see the business benefit of integrating all these complementary functions and consolidate them under one head under some enterprise function or create a new function for it; if only to stop them from their never ending turf war and one-up-man ship . But it is unlikely to bear a designation with a S in it standing for Security. It's simply not sexy enough, especially when there are so many more hep sounding names in the stable. So CSO may never happen, as it also has not happened till date.
Physical security has become interesting and technical. There is increased room for convergence between PS and IS. But rarely, if ever, there has been an organisation where the two are under one head. And whenever they are or when they would be together under umbrella, it will not bear the name of CSO but something rather fancy and unrecognisable.
This is not necessarily a bad thing. It will bring security and all the complementary functions into the middle of business relevance, hopefully with the head of this heterogeneous entiry being from a business background but with a strong understanding of information security, and having a place in the boardroom - if not the board.
No comments:
Post a Comment