How important is a Chief Information Security Officer (CISO)?
Well, it depends on how important $1.9 million would be to your organization. That’s how much, on average, a CISO can save an enterprise during a data breach, according to a comprehensive data breach study.1 The study finds that the average organizational cost of a data breach is $5.5 million, and a CISO with enterprise-wide responsibility can reduce it by about 35 percent.
The CISO has been important for the better part of the last decade. But today with the colossal amount of critical data that organizations collect and store, the importance of the CISO is escalating to new heights. The role is evolving from a technical position – one that often puts out fires – to a strategic position that anticipates risk and develops appropriate protocols to manage it.
A recent IBM study2 found that the CISO role is heading down the same path as the Chief Financial Officer in the 1970s and the Chief Information Officer in the 1980s to become a strategic leader. But the CISO has not reached its destination yet.
Only 25% of the CISOs polled were classified as “influencers,” meaning they wield substantial influence at their organization. Seventy-five percent, however, either fell into the “protector” or “responder” categories, according to the IBM study.3 The protectors, making up 47% of those polled, do have influence but usually don’t have the budget to make substantial changes. The responders, representing 28% of the survey base, had the furthest to go to become strategic leaders. These CISOs basically just keep their organizations in compliance.
If you or your clients have a CISO – or are considering hiring one – here are five tips to empower the position, and thus, boost security measures.
Provide a seat at the table. In order to be a strategic leader, the CISO needs access to senior management, directors, top clients and other key individuals within the organization to build a rapport. He or she needs to convince them that a security-conscious culture can increase revenue, improve one’s reputation and possibly save tens of millions in prevention costs.
Create a support network. To encourage an enterprise-wide approach, it’s a good idea to establish a steering committee with professionals from legal, business operations, finance and human resources to help make decisions regarding security and mitigating risk.
Along those same lines, the CISO needs to oversee the organization’s data breach response plan and team that will implement it. The team should include pros from legal, human resources, IT and public relations. It may also be wise to include outside vendors such as forensics and data breach resolution firms. And like all incident response plans, the data breach plan needs to be tested at least once per year.
The proof is in the pudding. Access to the C-suite won’t get the CISO anywhere if he or she can’t prove the value of implementing IT security strategies. CISOs need to measure the total potential cost of risk, so executives can see how valuable it is to try to minimize it. The cost of a data breach can be estimated based on the loss of productivity, investigation costs, notification and recovery expenses and the loss of clients/consumers. Other costs, such as the damage to an organization’s reputation, is harder to calculate but, qualitative analysis, such as scenario modeling, can be used to illustrate the monetary effect.
On the flipside, a sharp CISO should also use metrics to monitor progress that he or she is making in the area of security. He or she can track user awareness, employee education and the ability to deal with future threats.
Budget, budget, budget. It’s very difficult, however, to monitor progress and create data breach response plans and teams without a budget. As noted in the IBM study4, many organizations don’t have a line item for security in their IT budgets. It’s absolutely vital for the CISCO to have a security budget to build his or her staff and implement effective response plans and teams. The CISCO also needs a budget to purchase effective automated monitoring software so he or she can spend more time focusing on big picture strategies.
Focus on employee education. Finally, if a CISCO is going to be effective, he or she has to create a risk-awareness culture throughout the organization. While the first step may be to get senior management on board, it’s just as important to educate employees, contractors, vendors and everyone else involved with the enterprise.
Therefore, the CISO’s recipe for success not only involves trying to prevent data breaches and cyber attacks, but also involves informing folks to be mindful of risks. A successful CISO is like a preacher. He or she spreads the gospel about the importance of security and how it’s not only good for business, but that it also needs to be everyone’s business.
Footnotes:
1 2011 Cost of Data Breach Study: United States, Ponemon Institute and Symantec.
2 2012 IBM Chief Information Security Officer Assessment.
3 2012 IBM Chief Information Security Officer Assessment.
4 2012 IBM Chief Information Security Officer Assessment.
Michael Bruemmer is Vice President of Experian® Data Breach Resolution at Experian Consumer Direct, the leading provider of online consumer credit reports, credit scores, credit monitoring, other credit-related information, and protection products.
With more than 25 years in the industry, Michael brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services.
