[an error occurred while processing the directive]
RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2
2017/12/27 10:07:13

Chief information security officer of Chief Information Security Officer, CISO

In process of information technology development, the role of the head on information security of the enterprise (CISO, Chief Information Security Officer) changes. Heads of the companies of the different sizes became better to realize all importance of information security, than ever earlier, and, therefore, CISO even more often began to be present among members of Boards of Directors of the enterprises. The new business context owing to disruptive technology developments (for example, Internet of Things and development of clouds), along with growth of level of threats, demands serious changes from heads on security, such as compliance of business objectives to opportunities of response to requirements of information security. Though the profile of heads on cybersecurity still remains technical, its communication with business objectives requires certain capabilities and broader vision of business.

Content

Researches

2017: New duties for new CISO

With growth of number of cyber attacks and level of danger of theft of confidential data from the companies, work of new CISO purchases the new role which is earlier not found. According to the research Ponemon Institute, 67% of heads of cybersecurity are responsible for development and deployment of strategy and initiatives of security of the companies. This digit shows the increasing influence level, confirming that CISO is transformed from just responsible for the IT zone to the key adviser for top managers of the enterprise.

In an above-mentioned research of 60% of respondents said that their organization considers security as one of the main priorities. Capability to prevent and react to the attacks now has huge value for the companies which begin to appreciate tasks of CISO of increase in awareness on information security among other staff of the enterprise and to their adequate training and also investment into the cybersecurity tools for detection of potential threats.

The integration of business and technologies taking place during the digital revolution is a creation of more difficult ecosystems for the companies and their employees dealing with security issues. CISO should work according to requirements of the enterprise now and pursue the same aims, as well as other top managers of the enterprise. 69% of respondents in the research Ponemon consider that appointment of the security director with the corporate liability is the fundamental moment for the company. CISO of the future should report on the activity in the organization, calculate the budget and follow strictly in its framework and also implement business tactics according to the purposes of the enterprise.

Also let's not forget about their responsibility for ensuring full-time employment of IT services at any time and also their responsibility for integrity of corporate data. Thus, new CISO should reduce inevitable risk of date leak, protecting confidentiality of users and clients and also conforming to all statutory requirements[1].

Most of employees in the field of information security have the technical profile connected with studying of computer disciplines. It makes sense, in view of need of a clear understanding of the questions connected with programming and more effective work with the wards at technological level. However CISO of the future should have business vision and to be capable to influence the selected area of work of the company, having leadership skills and skills of interpersonal communication and strategic development. CISO of the future also should be able to develop business plans and models of work contributing to brand development of the enterprise, including not only technical aspect of information security, but also and its essential human aspect.

CISO made the serious way to the organizations years during which its role was considered as minor so such recognition should be welcomed by experts in security as a remarkable opportunity later. Such evolution which requires consolidation of technical, legal, normative and communicative knowledge now shows shift towards a global ecosystem which recognizes all importance of information security much more. Time to review itself and to recognize that the traditional IT role already does not exist any more came. And you are ready to become CISO of the future?

2017: Board members do not perceive cybersecurity as the priority direction of development

According to the research Fortinet, published in October, 2017, in the organizations worldwide which staff totals more than 250 employees nearly a half of IT heads believes that the leadership team of the organizations does not pay due attention to a question of information security support, despite the happening resonant cyber attacks. Nevertheless, many IT specialists are convinced that the transition to a cloud which is one of process steps of corporate digital transformation will lead to the fact that security will become the priority direction.

Providing Information Security — yet not a priority

According to Fortinet, 48% of IT heads believe that IT security is not among the questions which are on the agenda Board of Directors yet. Nevertheless, it does not influence the budget: in 61% of the organizations expenses on security make more than 10% of the IT budget. It is rather high rate. 71% of the polled respondents announced increase in the budget selected for ensuring IT security in comparison with 2016. At the same time IT heads are convinced that the information security should be among priority tasks in the field of management. According to 77% of respondents, IT security should become a subject of close attention of leadership team.

Factors of increase in priority of security issues

The research allowed to reveal three key factors promoting transition of information security to discharge of the priority directions.

Growth of number of violations of security and international cyber attacks

In the last two years 85% of the organizations faced security violations. The malware and programs racketeers became the most widespread technologies of the attacks (47% of respondents). 49% of IT heads said that the international cyber attacks, for example WannaCry, led to increase in priority of the direction of IT security. The sphere of security draws attention of leadership team in connection with such factors as scale and orientation of the international cyber attacks. Now security issues are discussed not only in IT departments.

Increase in pressure from the regulating structures

As told 34% of respondents, other important factor drawing attention of leadership team growth of number of regulatory requirements is. For example, shortly in the territory of the European Union will become effective the document GDPR ("General provisions on data protection") providing essential penalties. Certainly, these trends are of interest to leadership team of the organizations.

Transition to cloud computing

For many organizations transition to a cloud is a part of process of digital transformation. 74% of IT heads expressed confidence that security issues of a cloud purchase priority value. 77% of respondents also said that security of a cloud, along with investments in development of security infrastructures supporting this function, becomes a problem of paramount importance for leadership team. With respect thereto a half of the polled respondents (50%) within the coming 12 months are going to invest means in ensuring cloud security.

Research methodology

The global research of corporate security Fortinet for 2017 was conducted by request of Fortinet company by the independent company Loudhouse which is engaged in the analysis of the markets. The analysis of change of views of questions of corporate security in July/August, 2017 was a research purpose. 1801 anonymous respondents from 16 countries (the USA, Canada, France, Great Britain, Germany, Spain, Italy, the Middle East, the Republic of South Africa, Poland, Korea, Australia, Singapore, India, Hong Kong, Indonesia) participated in the global research focused on IT heads to whose duties ensuring IT security belongs. The respondents who took part in Internet questioning did not know about the purposes of the sponsor of a research.

2012: Evolution of corporate Information Security Services and their heads

The research of IBM of the beginning of 2012 shows distinct evolution of corporate Information Security Services and their heads: there is a transition from execution of functions of technical support to strategic management by business – in spite of the fact that now only one of four polled directors of cybersecurity plays a strategic role in the company.

Within the first research of a role of CISO the IBM Center for Applied Insights center polled over 130 Chiefs information security officer and revealed three types of heads of this category in terms of readiness for elimination of vulnerabilities of protection and also the overall level of development of a corporate system of security. The type of the chief information security officer which received the name "Influencer" and provided by almost fourth part of all respondents is characterized by direct influence on the business strategy of the company. Heads of this category, as a rule, proved to be surer and prepared, than their colleagues carried to the Protector types (deal with exclusively technical and organizational issues of information protection) and "Responder" (bear responsibility for IT security, but have no influence on decision making).

All directors of corporate security services should solve the most difficult problem of protection of the most valuable company assets – money, data on clients, intellectual property and a brand. Nearly two thirds of the polled CISO stated that in the last two years the attention to questions cybersecurity grew: series of the large-scale attacks and leaks of confidential information convince the top management of the companies of a key role of security at the modern enterprise. More than a half of respondents considered ensuring mobile security with the most priority technical task in the next two years. Nearly two thirds expect increase in expenses on information security in the next two years, and 87% from them assume that growth will be expressed by two-digit digits.

If earlier the task of CISO consisted in response to security violation cases, then today the role of the security director changes in the direction of more reasonable and comprehensive risk management – from "fire fighting" to their prevention. CISO referred to category 'Influencer' and differing in participation in strategic management select the following characteristics:

  • Security is considered as necessary for business (and not just and not so much for technologies) a condition — One of the main features of the leading companies is the attention of her heads and Board of Directors to questions cybersecurity. Security in such organizations is not an accidental subject of meetings, but their integral part, and in the increasing degree becomes an element of corporate culture. So, 60% of the organizations from among front lines reported that security issues are discussed them by Boards of Directors on a permanent basis – in comparison with only 22% from group less "advanced" in information protection of the organizations. Progressive heads realize need of more complete knowledge of risks and therefore they are much more concentrated on educational initiatives, interaction and dissemination of data on enterprise-wide cybersecurity. Far-sighted Information Security Services quite often support creation of special management committee as security for implementation of the system approach to questions cybersecurity covering legal and financial aspects, business operations and personnel resources of the enterprise. In 68% from respondents of the advanced organizations similar management committees with risks — in comparison with 26% from group of the companies which were less developed in security issues already work.
  • Assessment of the achieved results and decision making on the basis of data — According to a research, 59% of the polled companies from category leading (in comparison with 26% from group of less advanced organizations) use the standard systems of indicators for efficiency analysis of measures for strengthening of information security. Culture which was more advanced concerning risks by cybersecurity can help to create tracking of level of awareness and competence of personnel, its capabilities to cope with future threats and also integration of new technologies. Along with it, the automated monitoring of the standardized indicators allows CISO to focus on more general systemic risks.
  • Separation of budget responsibility with upper managers — the Research showed that in most the organizations the budget of Information Security Service is usually controlled by executive directors on information technologies (CIO). However in the organizations with the highest rating of success the investment management is more often exercised with the assistance of business heads. In the most advanced organizations chief executive officers (CEO) in just the same degree deal with issues of the budget of Information Security Service, as well as the Chief information officer. Less progressive organizations often in general have no cybersecurity financing source in the form of the separate article of the budget that demonstrates less far-sighted, fragmentary approach to security. According to results of a research, 71% of the polled leading organizations (in comparison with 27% from group of less progressive organizations) have a separate article of the budget on support of information security.

"Results of a research demonstrate emergence of the new class CISO which participate in development of strategy of the company, trying to obtain anticipatory and complex approach to questions of information security — David Jarvis, the author of the report on a research and the senior consultant of IBM Center for Applied Insights emphasized. — We see that the image of CISO gradually purchases the functional completeness as it was with a role of CFO in the 1970th and CIO in the 1980th years – the range of the tasks which are carried out by them includes more and more strategic, but not technical issues. These changes say about as far as for the different companies importance of IT security increased".

Recommendations about development of a strategic role of the head about cybersecurity at the enterprise

Creation of more reliable and efficient information security system, according to IBM, is impossible without formation of CISO of the action plan corresponding to the current opportunities and directed to the solution of the most essential tasks. The report offers the researches of the recommendation about ensuring development of a corporate system of cybersecurity based on results on the basis of the current level of its development.

For example, the participants of a research referred to category "Responder" can be beyond tactical tasks, having created a separate position and function of the head on information security (like CISO), having brought together committee on security and risks, estimating the achieved success in security strengthening and also automating routine operations on security support to select more time and resources for implementation of innovations in the field of security.

"Security in the modern world of digital communications is connected with a number of new problems, but their solution can be significantly simplified thanks to implementation of the innovation methods and implementation of more complex and comprehensive approach — Marc van Zadelhoff, the author of the report and the vice president of division of IBM Security Systems for strategy noted. — CISO paying to these questions there is more attention, can increase considerably efficiency of business processes and achieve notable success in creation of the informed, flexible and well prepared for future threats corporate culture".

The place of cybersecurity in target structure

Cybersecurity as part of corporate culture

See Also

Notes