Saturday, December 19, 2015

(The Big Disrupt) IT: The Double Edged Sword That IS Being A CISO

In an age where IBM CEO Virginia Rometty well-worn phrase that data is the natural resource of the 21st century is looking less and less presumptuous, companies across the aboard are investing an awful lot of money securing their data and their IT infrastructure from attacks which should be good news for CISO’s who are solely in charge securing both as the role has risen to prominence in light of large data breaches however, this puts a lot of pressure on CISO’s to get things right when the odds are firmly stacked against them.

Sure you might think CISO armed with growing budgets, years of experience dealing with cyber-attacks and threats, a rash of tools offered by security vendors, and a strong team behind them would put in a great position to stave off the threat of hackers but CISO’s, despite all these advantages are still at a disadvantage as they face an enemy that outnumber them and are often as good or better at breaching security systems as CISO’s are at protecting them. While attackers can get caught and prosecuted, the cost barrier to entry is almost insultingly low given how much companies have to spend to deal with a data breach. To give you an idea, TalkTalk’s data breach in October will likely cost the company 30- 35 million while the attackers would be breaking the bank if their efforts broke into the thousands[1].

A good chunk of that 30 million will likely go to their CISO’s budget as the company stated that they will give their CISO “carte blanche over security investments” which was likely to happen anyway given the company’s managing director Charles Bligh revealed that they were discussing spending more on security before the breach happened [2]. TalkTalk’s renewed commitment to security may reveal the company intention to avoid being breached again but this new focus in various organizations across many fields is leading to a strange occurrence of CISO’s budgets increasing despite companies experiencing breaches.

While security is obviously going to become a top priority for organizations after experiencing a breach, it’s highly unlikely a costly failure in any other role in the C-suite would be rewarded with an increased budget. You don’t have to be rocket scientist to find out what would happen if a CMO burned a 30 million hole in his budget on a marketing campaign that failed horribly or a CEO presided over sustained period of no or low growth as both would be out of a job before long. However, Unlike CEO’s or CMO’s, a CISO’s job is largely about planning for worst as opposed for the best working to stop multiple threats which means they negotiate a higher degree of risk of failure.

The high risk of failure seems to be growing by the month as CISO’s experience their responsibilities expand at a rapid rate with organizations embracing new technologies such as wearables, mobile, and the internet of things which CISO’s have to secure. This should prove good news for CISO’s as more responsibility means greater stature in the organization but they also have contend with a notable increase in cyber-attacks and  a much talked about lack of talent in the cybersecurity field which makes covering their growing remit that much harder.

In sum, like a number in the C-suite, CISO’s find themselves subject to a growing budget, greater responsibility and yet overwhelmed by their role but whatever happens, expect CISO’s to be prepared for it.

[1] N. Wood, 2015, Talk Talk CISO given carte blanche over security investments,
[2] Ibid

No comments:

Post a Comment


Related Posts Plugin for WordPress, Blogger...