Chief information security officers (CISOs) should be wiser when setting out their responsibilities and budgets with their boards, according to research firm Gartner.
At the Gartner Security and Risk Management Summit in Sydney this week, Gartner analyst Paul Proctor said that company boards are keen to give CISOs the task of protecting an organisation from attacks, but quick to distance themselves from any responsibility of their own in the event of an attack.
Proctor, according to ZDNet, said, "CISOs are their own worst enemy when they position themselves as the defenders of the organisation, because it lets the executives skate on accountability."
Proctor said boards too often separate business risk from web and network security, and that CISOs had to make sure they aren't left exposed on their own. "Choosing to save some money and experience more risk is a legitimate business decision. The failure is allowing executives to live there without it being a conscious choice," he said.
Proctor said that CISOs should not simply ask for money to protect an organisation, but ask the board how much risk the organisation is willing to take on security, and request the appropriate security systems to address those risks.
CISOs also need to talk in business language rather than IT terms. At the conference, Proctor reportedly used an example of an CISO at an automotive manufacturer who successfully addresses security issues with his board.
Instead of the CISO talking about the length of downtime caused by security incidents, the CISO used known production rates for vehicles to inform the board of how many cars they could lose.
"They report lost cars to their board, not IT downtime, because their board cares about cars; they don't care about IT," Proctor said.
If you register with ITProPortal.com, you'll receive:
- Fast-track access to the seminar programme
- Entry into a prize draw for an exclusive gourmet dining experience at IP EXPO ONE Place Dining.
- PLUS: As a loyal reader of ITProPortal, you'll also be able to kick back in the exclusive ITProPortal lounge, enjoying complimentary beverages and the chance to chat to our expert team of technology writers.