What we’re going to tell you next is going to make you twitchy. So be warned, take a deep breath, perhaps grip the edge of your chair for reassurance, close your eyes. Open them in a second and then read this:
The CIO needs to surrender their hold on security and give it to someone else.
Eeek! OK, well perhaps for some people this won’t be that controversial. Patently, it isn’t for the wise owls at consultants PwC who came up with the radical action. In a new study, "Lost In Translation," security experts at the global firm think the reason we’re all so bad at security is down to ongoing bad communication between the information security function, IT and the rest of the business.
Instead of working together toward common goals, different parts of the business often fail to understand — or even respect — each other’s roles, according to the research, which aimed to gain insights into why business leaders underestimate information security risk.
Commenting on the findings, Richard Sykes, governance risk and compliance leader at PwC, notes: "The security of corporate information will stand or fall by the ability of the organisation’s various functions to communicate clearly and effectively with one another. It takes all teams to sustain a meaningful dialogue, so a change in mindset is needed from all sides."
There are two main solutions, the group argues. One – improve that communication process. Some of this is hardly rocket science: "Avoid using complex technical language and describe business risks and the relevant controls in straightforward business terms" and so on.
Some is more interesting, like the suggestion that the internal LOB owner or business leader should initiate ongoing workshops with representatives from information security, the business and IT to brainstorm the threats and opportunities and to debate solutions or that the information security leader should "forge strong links with ‘natural allies’ in the business, such as legal, compliance, risk and internal audit, to align business-focused language".
Two – finally split out information security as a separate report function. So we would finally see the role of CSO, Chief Security Officer, or as this position is now more commonly called, the CISO, Chief Information Security Officer, taken seriously and made into a report not to the IT leader but direct to CEO/board.
How would this help? William Beer, director of PwC’s security practice, says simple: what we have ain’t working. "The disconnect between CIO and CISO needs to be addressed," he told CBR. "A much better way than security reporting to the CIO is for it to report to the CFO, Chief Privacy Officer or direct to the board. This is part of a growing executive recognition that security’s strategic value should be more closely aligned with the business than with IT."
No convinced? It seems your opinion may not matter anymore – the business has made up its mind and thinks this separation of security church and IT state is a good idea. Over the period 2008-11, according to PwC research, CISOs reporting to CIOs have gone down 39% while there’s been a 52% jump in them reporting to the board, a 67% hike in them being under the COO, and so on.
CIOs may be frustrated with this idea as in many ways, the growth of importance of security should have ‘politically’ benefited them. Take this definition from the report of what makes a great CISO: "The security practitioner must be able to converse with the business, understand the issues and risks from the business’s point of view, and protect its digital assets proactively – while simultaneously supporting the use of new technologies to open up new business opportunities." Kinda like what we should be able to do, eh, boys?
Seems like we lost this one, though. Sorry. But you have to be big about it and see that this separation will help the business. And let’s face it – you already have enough to do as it is. Time to let a new breed of ICT-business professionals bloom.
PwC was joined by in this research project by a specialist information security body, (ISC)², (say "ISC squared") that claims to be the world’s largest provider of professional information security certifications and educational services.