Make way for a new chief in the C-suite: The chief information security officer (CISO) -- who is not necessarily a part of IT.
As the Internet -- and its associated deluge of data, clouds, devices, and sites -- becomes integral to IT success, enterprises are more at risk than ever of having precious information stolen, lost, or compromised by online malfeasance. And according to a new study from IBM, many enterprises are answering the challenge by appointing a CISO.
Interestingly, though, that person is increasingly detached from the day-to-day doings of the network and datacenter and more involved with strategic risk management. "In two years, security leaders expect to be spending more of their time on reduction of potential future risk, and less on mitigation of current threats and management of regulatory and compliance issues," says the report.
The CISO will most likely work as part of a risk management committee charged with measuring how well the organization is managing security risk overall -- by educating users and training IT workers, for instance. CISOs will also be involved in areas such as disaster recovery and business continuity planning. While these are areas that involve IT, they also draw in operations, finance, and other key parts of the organization.
Many enterprises aren't ready for a CISO and may still be fighting security fires via IT. Adopting a "broader charter for the security function" won't be easy for these firms. But change they must. Threats to corporate data will continue to grow, especially given the burgeoning of mobile devices.
Currently, enterprises that consider themselves best prepared to deal with security can be termed "influencers," the report states. And of the 130 security executives surveyed worldwide, IBM found about 25 percent ready to classify their organizations that way.
But the evolution toward more comprehensive security has started, and it won't be reversed. Threats to enterprise security are scarier than ever. If you don't have a CISO or the equivalent in place today, you may soon wish you had.
The figure below illustrates some of the key findings of IBM's report.
IBM released this infographic depicting some of the findings of its latest report on CISOs.
creating a new position won't help. to address the problem a new approach must be taken. Specificially: taking control of software.
~~
what's needed to be created is a consortium of business and industry leaders to bring pressure on OEM and Congress to make insecure software a product liability
~~
the idea that endpoint computers are available for advertisers and market analysts to run their tools and presentations has got to go in the bit bucket. such tools may be allowed but on condition that the host\endpoint is not modified or permanently affected, and no information is collected or exfiltratrated from the endpoint.
Resolved:
the idea of using endpoint computers to snoop on people is hereby vetoed.
~~
The reader may recall that the infamous Robert Morris "Internet Worm" (11/2/1988) was simply a mis-guided attempt by Morris to count the number of computers on the Internet: he wanted all the computers on the net to report back to him and sent out his program in order to get them to do just that
it's the base concept that wrong: it's not ok for you to run your program on someone else' computer without their permission. unfortunately you have to enforce that for your computer because there will always be miscreants who care nothing about what is or is not proper behavior.
Kim, your assertion that IT security doesn't begin or end in IT might be a tad...incorrect.
Ah, that's why I didn't say. I said security doesn't begin or end in the data center. It involves broader considerations, and a good CISO will not be dismissive and ignorant of the IT element.
We can agree that the CISO shouldn't be a Luddite.
Agree totally that the traditional IT setup is in a process of metamorphosis, Lin. In some organizations, I think it won't be long before the old data center/glass house paradigm is a rarity. That said, it is also true that transaction processing via mainframes is still going strong as an in-house endeavor. Instead of disappearing entirely, I think we're more likely to see changes in the ratio of various IT models (centralized data center, cloud-based, etc.).
Wow, what a great point, DukeW. I've heard that the argument that IT should align itself w/ the business is a red flag that an enterprise's model is broken -- the idea being that IT should already be knitted firmly into the business. That thought resonates with me, and your take that the initiative to get things straightened out falls on the business side makes a lot of sense.
Kim, your assertion that IT security doesn't begin or end in IT might be a tad...incorrect. My experience with decades of CxO-level executives invariably winds up in a "don't bother me with the details, just get it done" pronouncement, and it winds up right back in our laps. As fashions change in the business schools, you get wave after wave of newly-minted MBAs insisting that they be in control of IT, and we usually wind up under some CFO whose typical take-away is "I don't use a computer, I have a secretary for that." Nary a clue, and efforts to point out reality invariably fall on deaf ears. The simple fact is that the vast majority of businesses are now fully dependent on IT for their continued productivity and profitability. Therefore, all this talk about how IT should be matching itself to busines needs is a bit...incorrect. The business should be re-aligning itself with what IT can supply, because that is the only way the business will be able to change and grow with changes in the market, and in technology. And without a buy-in from upper management, no amount of effort is going to get the barn door closed before the horse escapes. It all boils down to a big sales job. Now, where did I leave my copy of "Sales Techniques for Dummies"?
Security morphing into risk management under executive control, users BYOD'ing, applications and storage moving into vendor-supplied clouds, marketing encouraging employees to be media social – maybe security isn't the only thing that is breaking down the walls of the data center and threatening the traditional IT manager's fiefdom. Can't wait to start working with tomorrow's IT manager – collaborative, cooperative, focused on business goals, and hip!
CISO, CSO, CIO... whoever happens to be in charge of corporate security has an expanding mandate and the big point is that he/she must be able to get past any sense of fiefdom or silo.
Yees, it makes total sense to me that a business concerned with security (and one hip to the latest security threats) would also be in line with trends toward cooperation and collaboration.
It's the rigid, old-fashioned silo mentality that can be so destructive in any organizataion, leading literally to a house divided against itself.
Security does not begin or end in the data center, so it makes sense to me that overall responsibility is not in IT hands. In my dealings with large corporations in the past, I remember meeting head of security who included IT, as well as other elements of corporate security, in their re-mit.
What's necessary, of course, is that the CISO be competent to speak with IT and understand their challenges and concerns.
I found the most interesting element of the chart to be that those concerned with security also seemed to be the least interesting in collaboration, which I think is part of better business.
Does it strike anyone logical that a businesses more aware of threats would also be a better run business, period?
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Facebook and Twitter are great for posting cat pictures. But are people really using social media for life-changing communications? Like, if a hurricane comes by and blows down their house?
In a standout presentation at the Jefferies 2013 Global Technology, Media & Telecom Conference in New York this week, the UK government talked about becoming a "very intelligent client."
A consumer business would have to be crazy or desperate to change call-center software in December, the peak of the holiday season. But that was exactly Positec's position.
To help enterprises deploy software faster for mobile, social, big-data, and cloud applications, IBM this week acquired development tools vendor UrbanCode.
Internet Explorer seems like a relic of the 90s, like parachute pants and Friends. But that's just me. I'm a Chrome guy, and before that I used Firefox.
Multi-tenant clouds assure security for clients, but not necessarily for their ideas. Here's one thing you should discuss with your cloud provider before you sign on.
The FBI recently issued a warning to smartphone users, highlighting two mobile malware applications: Loozfan, which steals personal information, and FinFisher, which is spyware that takes over a smartphone's functions.
All the recent hoopla about cloud security overlooks an important point, which is that it's not strictly a cloud problem. The linkage of online services into cooperative chains creates the risk, and only biometrics and federation of providers can save us.
Mobile device hacking in business is dramatically on the rise as companies use more consumer-grade devices. User education remains one of IT's best preventive strategies.
Smartphone users are aware that their systems are open to possible security breaches. But NPD Group found that more than 82 percent of them do not have any security software on their phones. That's just dumb.
With more and more executives relying on mobile devices to complete their work, mobile device management has become as popular as traditional IT management solutions.
Skype recently acquired GroupMe, a startup developing tools to make mobile communications simpler. The move underscores dramatic changes in that market, ones that will change how executives communicate.
Now that we are past the initial user exuberance with the Internet, Web-based applications, and mobile devices, IT is entering a new phase of integrating business processes and rules with the Web. This is hard work, and keeping business users engaged in the process is no small task.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Subsidized handsets, rather than locked handsets, should be the focus of regulators. We're not getting good deals, not fostering innovation, and weakening our power as buyers.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Email This
