Why your company needs both a CIO and a CISO

It’s past time for all major companies – certainly in the Fortune 500, but the advice carries on down into even midsized organizations – to carve out a C-level role focusing solely on security.

Information security isn’t just a luxury in this day and age. It’s a necessity. For the longest time (and even today in some companies), security was (and is) within the purview of the CIO, a bullet point on a long list of pre-existing responsibilities and job requirements to look after.

[ Myths and truths about employing women in Infosec ]

Ignore security long enough, though, or neglect to pay it the attention it deserves, and the bad guys will pay attention to it for you: Witness what happened at Target and, more recently, at Home Depot. These incidents were very serious security breaches that let attackers gain access to sensitive payment data over a long period of time – a few weeks in the case of Target and a few months in the case of Home Depot. Consider that. Bad guys infiltrated the most sensitive of systems at a company for months, and only external entities (the banks) convinced Home Depot to look at their systems with enough of a fine-toothed comb to actually discover the breach and begin remedying it.

[ Related: 4 Lessons CIOs Can Learn From the Target Breach  ]

That these breaches went undiscovered for so long, and that the Home Depot penetration in particular was only discovered and acted upon after external companies went to the victim organization to say, “Hey, something’s wrong,” is a symptom of a clear and present danger to IT: Inattention to security.

CIOs have so many projects, problems, and plans on their plate that they let slide their responsibilities to bolster the security profile of their systems and to monitor the integrity of the networks and machines they already have in place. Moreover, a CIO may not have the technical expertise or continuing education required to stay on top of security threats and the evolving nature of the security landscape.

No matter who the CISO reports to – whether it’s the CIO or, even better, the COO – he or she should be charged solely with managing the current security profile and ensuring that the hardening of networks and systems continues at an efficient but effective pace. The CIO could be responsible for the business and operations side of IT, while the CISO could look after the organization’s six o’clock.

CISO Role Equal Parts Planning, Approving, Communicating

In a perfect world, every company would have a CISO, and he or she would be tasked with the following objectives and replete with the following abilities.

Breach response and reaction plan responsibilities. As discussed, the Home Depot breach might still be active now if it weren’t for third-party intervention. Since the breach’s discovery, it took over a week for Home Depot to even officially admit it had been penetrated, and only in the second week after the breach has any customer-facing plan for mitigation been put into effect. You have to wonder what the committees inside the third-largest retailer in the United States were doing all this time, and how effective the consulting companies that were called in to help remedy the breach were in cutting through any red tape.

A CISO’s primary emergency responsibility would be to make sure a breach doesn’t play out a la Home Depot and Target. This shouldn’t be a role the CIO plays. In effect, should a breach occur, the CISO would be where the buck stops. Ideally, the CISO would be given both the authority and the budget to respond to breaches quickly and efficiently, without getting mired in bureaucratic reporting and red tape – at least until the imminent danger passed and the breach was mitigated.

Consulting and approval or validation of existing IT investment plans. The CIO may have ambitious plans to do a bunch of things and proceed with a lot of projects, but the CIO may not have fully considered the security implications of those projects and policies. Worse, there may not be any step in the traditional workstream or project workflow in an organization that focuses on the security and integrity of a plan, nor may there be anyone in the organization with enough expertise to make an informed assessment of a plan and its security implications. Bring your own device (BYOD) policies come to mind, as does the use of consumer-oriented, “shadow” cloud storage products such as Dropbox and OneDrive for professional and corporate purposes.

Ideally, a CISO would have the responsibility to rigorously evaluate the plans, the intended services and their uses. He or she would have the ability and authority to either validate a proposal as being approved from a security standpoint, request revisions to mitigate some security posture shortcomings that any plan may have or, in some cases, even veto or blackball a proposal if a serious security issue is identified that can’t be practically remedied.

A keen, discerning ability to communicate briefly but effectively with stakeholders. Security breaches are, by their very nature, technical. However, that complexity doesn’t reduce the amount of questions that the CISO will get from the other members of a senior leadership team, the board of directors and any interested third parties.

[ Analysis: CISOs Must Engage the Board About Information Security ]

A CISO must be able to understand the deep roots of a security issue – whether it’s a breach or an objection to a current investment plan – and then communicate the severity of that issue and the recommendations for mitigating that issue to these stakeholders in a brief but understandable way. A CIO doesn’t always have both of these skills – and even if he or she did, it may put the CIO in an odd place of advocating against a proposal that he or she initiated, stifling innovation and creativity.

No one will really want to hear from the CISO, kind of like no one really wants to hear from internal auditors, but an effective CISO is an executive who has a deep technical understanding but also a keen ability to boil those technicalities down and effectively advocate for what needs to be done or the decisions that need to be made.

With new regulations from payment card processing networks coming down the pipe in 2015, including a mass move to chip and PIN and signature processing, as well as the retirement of Windows XP, which many point of sale and financial appliance machines still run, there exists a perform storm of security deadlines and milestones ahead. Shoving all of these problems onto the plate of the CIO is just asking for trouble. A CISO, split off from the CIO role, is a wise investment for any company to make.