Enterprise IT Context for the CTO

Bob Gourley

Subscribe to Bob Gourley: eMailAlertsEmail Alerts
Get Bob Gourley: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Blog Feed Post

Determining Who Should Be in Charge of Cyber Security

Security has quickly transformed into a major issue for most businesses. As headlines highlight the now common incidents of security breaches, where victims as large as Target, JPMorgan Chase, and Sony have to struggle to repair the damage, many companies are prioritizing their cyber security needs, hoping to avoid becoming the next victim of a hacker’s wrath. Of course, it’s easy to say that security problems need to be addressed quickly. One of the biggest obstacles is figuring out who should spearhead the effort not just to improve security but ensure no attackers infiltrate in the future. It’s a daunting task made all the more difficult by the lack of clarity regarding the nature of cyber security for an entire organization. While statistics show that companies are more willing to spend on IT security, all of those resources will go to waste if they don’t know who should be in charge.

For obvious reasons, many organizations look at the challenges of cyber security as a problem best solved by the IT department. After all, technology is their realm, so they should have to deal with the issues that come with it. Many businesses take this mode of thinking, ensuring certain percentages of the IT budget are specifically spent on security. This certainly isn’t a bad strategy to have, at least to start with. As studies have shown, the more a company spends on IT security, the less chance they’ll be subject to a cyber attack. IT departments usually have the knowledge and expertise to prevent most security breaches, but that doesn’t necessarily mean it’s the most effective way to handle security.

In fact, to truly combat cyber attackers, organizations need to ensure their security strategies have influences outside of IT departments. Every department needs a stake in the security of a company because security threats can and do exist outside of IT. Take bring your own device (BYOD) for example. If a business has adopted a BYOD policy, every worker in the company can use their personal mobile devices for their jobs. This opens up the possibility of security weaknesses spreading across the organization regardless of which department a specific employee works in. By spreading the responsibility of cyber security to the entire company, businesses are placed in a better position to respond to threats.

This dispersal of responsibility still doesn’t answer who should be in charge, though. Most issues as serious as security need one person to lead the effort. For many companies, that person is the Chief Information Security Officer (CISO), and while the CISO usually comes from the IT department, some businesses are changing the functions of the position. The general idea is to turn the CISO into more of an independent role, one that can maneuver between departments and prescribe different solutions that will increase security and prevent future breaches. CISOs normally have a seat on the company board, which also helps them to have the ear of the CEO, who needs to be on board for any significant changes. Some smaller businesses may choose to use consultants in place of the CISO. This third party, or “virtual CISO”, can fulfill certain responsibilities, though they are not a permanent fixture of the organization.

Each of these solutions does come with downsides. Placing the responsibility on IT departments usually leads to too much of reliance on security technology and big data tools (like Apache Spark) to solve problems when they are not needed. Putting a CISO in charge may place too much focus on information security specifically and not other security problems. In either case, a company’s priorities should be placed on making the entirety of the organization responsible. That means spreading security spending around. Of particular note is the need for employees to be aware of the security threats they introduce through their actions. Through awareness training programs, each employee can become responsible for security in his or her own way.

In a sense, no single person should be solely in charge of cyber security. From an organizational standpoint, having one person lead the way makes sense, but employees represent a critical element that may introduce security risks in the workplace. If each employee takes responsibility for cyber security, businesses will be much better off. That also includes the CEO, who needs to take the threat seriously. In other words, companies should not leave the responsibility only to the IT personnel. Everyone has a part to play in making sure they don’t become victims of security breaches.

Read the original blog entry...

More Stories By Bob Gourley

Bob Gourley writes on enterprise IT. He is a founder of Crucial Point and publisher of CTOvision.com