Security officers must change or die

Companies need to recognise the evolution of information security or they risk being left behind, says Gartner

The role of the chief information security officer (CISO) within many companies needs to be radically altered, experts warned last week at the Gartner Security Summit in London.

The situation in many companies at present is that the CISO "is the most detested person in the organisation, because they are the ones who say 'no'," according to Paul Proctor, a senior Gartner analyst.

The primary concern of CISOs is security, which leads them to block request for extra functionality in certain risky applications. In future, the role of the CISO will increasingly focus on risk management, and as a facilitator between operations and the business unit.

"The CISO of the future is the one who can run the risk-management organisation," said Proctor. "At the moment, security has been elevated and has power — and there are security people who are arrogant and have an attitude. They need to recognise that the business unit may deem some risks acceptable," Proctor said.

"'Acceptable risk' is an oxymoron to some security people," said Gartner research vice-president Jay Heiser.

"The CISO needs to be able to understand the business, and the potential returns on any security investment," Proctor said. "It's not just about security any more. Learning the business is the correct path to go," he added.

At the moment the IT risk management organisation in most companies is buried within the operations team. Proctor advocates a formalised IT risk management organisation within the company that can act as a mediator between operations and the business unit.

"In some companies, operations and the business unit not only speak a different language, but have no way of talking about risks. Security people tend to think 'It's a risk, we can't have it,' whereas business people weigh risks and how they could affect the bottom line," Proctor said.

Over time, CISOs will become risk-management officers able to understand risks from a technical point of view, and understand acceptable risks from a business point of view, according to Proctor.

Companies who have not already implemented formalised risk-management organisations should establish an information security officer position and hire someone with good communications skills and understanding of the companies business, according to Gartner.

"Ultimately the change has to come from the board down," Proctor said.

And for those CISOs still embedded in operations? "Message for IT people — go get a business degree," Proctor said.