Make way for a new chief in the C-suite: The chief information security officer (CISO) -- who is not necessarily a part of IT.
As the Internet -- and its associated deluge of data, clouds, devices, and sites -- becomes integral to IT success, enterprises are more at risk than ever of having precious information stolen, lost, or compromised by online malfeasance. And according to a new study from IBM, many enterprises are answering the challenge by appointing a CISO.
Interestingly, though, that person is increasingly detached from the day-to-day doings of the network and datacenter and more involved with strategic risk management. "In two years, security leaders expect to be spending more of their time on reduction of potential future risk, and less on mitigation of current threats and management of regulatory and compliance issues," says the report.
The CISO will most likely work as part of a risk management committee charged with measuring how well the organization is managing security risk overall -- by educating users and training IT workers, for instance. CISOs will also be involved in areas such as disaster recovery and business continuity planning. While these are areas that involve IT, they also draw in operations, finance, and other key parts of the organization.
As a result, the role of the CISO extends beyond the walls of the datacenter. "Security leaders are becoming more closely integrated into the business -- and more independent of information technology," stated one VP of IT interviewed for IBM's report, titled "Finding a strategic voice: Insights from the 2012 IBM Chief Information Security Officer Assessment."
Many enterprises aren't ready for a CISO and may still be fighting security fires via IT. Adopting a "broader charter for the security function" won't be easy for these firms. But change they must. Threats to corporate data will continue to grow, especially given the burgeoning of mobile devices.
Currently, enterprises that consider themselves best prepared to deal with security can be termed "influencers," the report states. And of the 130 security executives surveyed worldwide, IBM found about 25 percent ready to classify their organizations that way.
But the evolution toward more comprehensive security has started, and it won't be reversed. Threats to enterprise security are scarier than ever. If you don't have a CISO or the equivalent in place today, you may soon wish you had.
The figure below illustrates some of the key findings of IBM's report.
IBM released this infographic depicting some of the findings of its latest report on CISOs.
— Mary Jander , Managing Editor, Internet Evolution