3 things CSOs can learn from CPOs
The role of the CSO and CIO has been changing dramatically as technology becomes more and more vital to business strategies. Sometimes, it can be hard to keep up.
The role of the CSO and CIO has been changing dramatically as technology becomes more and more vital to business strategies. Sometimes, it can be hard to keep up.
If we look at the headlines surrounding recent data breaches, we might conclude that the role of the chief information security officer (CISO) has never been more critical to the success and sustained well-being of an organization. As a by-product of this statement, we also might surmise that the information security organization and where it reports into is also important. This is probably why every recent CISO event includes a conversation about where the CISO and information security program should reside within an organization. The challenge is that however healthy the debate, the question about where the CISO and his/her department should report generally ends with, 'it depends'. To shift from a debate to productive action, maybe the question is not where should the CISO report into [<a
There's certainly no shortage of claims regarding the current shortfall of cybersecurity professionals. These findings show up repeatedly in our surveys, most recently the 2014 Global Information Security Survey and the 2013 State of the CSO, which both revealed that the demand for skilled IT security professionals continues to strain organizations' ability to fill security positions. Finding skilled information security workers was identified as one of the greatest challenges for 31 percent of large companies.
It is said that an enterprise is only as secure as its weakest link. Today, that weak link often turns out to be partners, suppliers, and others with persistent network and application access.
In our article, "The 7 Elements of a successful awareness program," we identified the first and most critical element was obtaining C-level support. Such support is critical for the success of just about any organizational effort. Their support brings organizational buy-in and authority for your efforts. You can get other departments to support your efforts. While you will still meet some resistance, it is easier to overcome or bypass. Most importantly, you get more funding to put together a respectable awareness program.
The IT skills gap isn't as bad as you think -- it's worse, much worse. Especially in the area of cybersecurity, that skills gap is a major threat to your business.
If you've got a "C" at the beginning of your professional title, you're at the top, or pretty close to it.
The problem with Security Awareness programs is that it is hard to prove their successes. As with all security countermeasures, success is usually that nothing happens. Ideally, success also means that there is a report of the attempted attack, however that is rarely the case. With technical countermeasures however, logs are usually maintained that allow people to point to all of the prevented attacks.
The good news is that security budgets are rising broadly. The bad news? So are successful attacks. Perhaps that's why security budgets averaging $4.3 million this year represent a gain of 51% over the previous year – and that figure is nearly double the $2.2 million spent in 2010 – all according to our most recent Global Information Security Survey, conducted by PricewaterhouseCoopers.
What Boards Want to Know and CISOs Need to Say Seven years ago in the SBIC report Bridging the CISO-CEO Divide, we explored the best practices security leaders could use to communicate more effectively with their COs. CISOs were at a crossroads and just beginning to take a seat at the executive table. We provided recommendations from global leaders about ways CISOs could embrace their growing leadership role, build trust with the executive leadership team and earn the confidence of their CO. We discussed how harting a new course based on a strategic, risk-based approach to information security would drive clear business value.