• United States



Chief Executive Officer, Security Innovation

Sony appoints CISO in response to PlayStation attacks……but reports to the CIO?????

Oct 28, 20112 mins
Data and Information SecurityIT Leadership

A few months ago, Sony announced that it was created a new CISO position, reporting directly to the CIO, in response to the attacks against PlayStation. I’m encouraged by the fact that Sony realizes they need someone focused on data security – but discouraged that they’ll be reporting to the CIO, who almost always has a fundamental conflict of interest and often reduces this role to a figurehead. CIO’s are typically responsible for the information technology and systems that support enterprise operations, and they need them to be high-performing and feature rich (and security often crimps that style).

If I were CEO of a multinational enterprise like Sony, MassMutual, SAP, and others, I would place my CISO reporting to the most senior risk executive in the company and have that person report to me. I would create a nested risk-based approach to data/information protection. For example, Application Security would be part of a larger Information Security group, which would be part of a larger risk group, which is responsible for assessing risk in the context of business continuity and operations.

Security and risk are elements of _every_ person’s job, and the group who’s “responsible” for security has the charter of assuring the dissemination and absorption of those security/risk elements (making it part of the culture vs. doing all the security work themselves in the security group.) This would be my yin to the CIO and IT yang of faster, cheaper, more efficient automation of data management.

Companies like Thomson Financial, Liberty Mutual, and SAP had it right, imo, and changed things – which sent their CSO’s running away and significantly weakened their security posture overall.

Chief Executive Officer, Security Innovation

Ed Adams is a software executive with successful leadership experience in various-sized organizations that serve the IT security and quality assurance industries. As CEO, Mr. Adams applies his security and business skills, as well as his pervasive industry experience in the software quality space, to direct application security experts to help organizations understand the risks in their software systems and develop programs to mitigate those risks. The company has delivered high-quality risk solutions to the most recognizable companies in the world including Microsoft, IBM, Fedex, ING, Sony, Nationwide and HP.