Is the CISO’s (read Chief Information Security Officer) job to move a company to a more secure data stance? Or is he meant to be a visionary and strategist leaving these jobs for others? If the CISO doesn’t do it who else will? These are some of the questions that are abuzz as we discuss the evolving role of the CISO.

While I was talking to the community using my social networks, one of my friends, Anthony M Freed, Financial Editor at www.Information-Security-Resources.com got back to me with both complements and apprehensions on this topic.

The complement was – ‘it’s a great topic to debate’. And the apprehensions were aplenty: “Is the CISO-as-a-Consultant Model Obsolete?” Freed asked. Compounding the problem for the CISO in the short term is that while budgets are southbound, the risk of fraud, insider theft and third party exposure are escalating. In the long term, the financial crisis has forced firms to refocus on systemic risk resulting in a revival of top-down enterprise risk management efforts.

And that’s the turning point in the role of a CISO.

What makes the CISO an inevitable part of a corporate? What should s/he be doing to keep the role evolving beyond just secured apps and networks? Can a CI SO be instrumental in moving an organisation to the next stage of information security and ultimately towards operations excellence? Answers to these questions will decide the evolution of the role of CISO and his prominence in a corporate.

Do we need a CISO?

The increasing need of investing in the development of comprehensive information security programmes has certainly given birth to a chief information security office to help manage the security, risk and compliance matters centrally.

Consequently, a large part of the corporate world has either appointed or in a process of appointing a CISO who will have lesser liability of day-to-day security operations and a superior role of making strategic business decisions.

Says Vishal Salvi, CISO, HDFC Bank, “Large organisations have stepped in to assign corporate security and risk management role to a CISO. S/he is in a leadership role - driving information security policy, strategy outside the purview of a CIO/CTO.” Even if the current role is an amalgamation of ‘risk, information security, and compliance’, the assertiveness of the position defines the necessity of a CISO.

Col. Shankar Gurkha, Corporate Head IT, Gujarat Industries Power Company Limited (GIPCL), who also oversees the security function, feels the time has come to carve out as specific a role as CISO in every organisation. “Information security is the key to setting up good corporate governance and de-risking the organisation. The role of a CISO fits right on the top. It may take time before we see a mass proliferation of this idea,” he feels.

Nearly a decade ago, most of the security tasks would originate from the operations group. But over these years the level of sophistication has changed significantly. Today, there exists a mad chase for acquiring technology to make educated decisions to secure the organisation and mitigate apparent risks.

And that’s the reason why there has been a greater emphasis on the role of a CISO within the information security space. Kaj Paananen, Director of Information Security at Helsinki-based Sulake Corporation, an online entertainment company focused on virtual worlds and social networking says, “All risks having an impact on revenue, profit and reputation of a company have to be owned up by the management (CISOs and CSO).”

Lastly, business leaders are coming to terms with security. “Security cannot be achieved by technology alone. It is a core part of the culture. An effective CISO can be instrumental in moving an organisation to the next security stage and towards operations excellence,” says Jim Hendricks, CISO at IBM-ISS (Internet Security Systems)

Moving up the value chain

The role of a CISO varies in different organisations, but typically, s/he is ultimately responsible for setting the strategic direction of the organisation’s information security programme. “CISOs don’t usually get involved in the lower level operational issues, however, they are responsible for ensuring appropriate programs are established.

They are accountable to the board of directors for the security of the organisation’s information assets,” says Merv Ah-Young, Technical Expert, Information Security, Telstra, Australia.

Sachin Jain, CISO of Evalueserve – a Gurgaon-based large KPO providing a range of custom research, analytics and Intellectual Property and legal process services– feels that the CISO’s job revolves around risk management, defining security policies, creating awareness, designing a business continuity/disaster recovery programme and helping company support business models.

“The role demands to create a cultural shift where people know what security means and what their responsibilities are. The job is not limited to technical domain only. It largely covers all corporate and business functions which a CISO has to work with,” feels Jain.

The CISO need not be a technology guru who necessarily has the complete know-how of all security systems and sub-systems. “A CISO is an interface of the company with technology; he is a guy with great communication skills and consulting experience to collaborate with multiple teams in an organisation,” says Shiva Shankar, VP and Head of IT Infrastructure and Information Security, Reliance Communications.

There’s a contrary view too. Hendricks, who is a CISO at IBM-ISS, thinks a CISO must have some exposure to the day-to-day security operations of an enterprise to keep a ‘pulse’ on security. “Without that exposure, the CISO risks being too isolated from the needs of the business,” he says.

One of the biggest considerations being missed out is what business sector CISO is working on. “Verticals play a vital role in defining the role of a CISO and his direct contribution to the business,” feels Vijay Vedanabhatla, Information Security Architect and Senior Consultant, Deloitte & Touché.

So, a CISO has less day-to-day responsibility of security and a greater level of participation in strategic decisions. The role of the CISO is particularly pertinent to many companies which tend to be less centralised.

CISO as a strategist

Rob Nolan, Security Risk Management Analyst at Hewitt Associates agrees that CISO is nothing short of a key strategist in an organisation today. “If they are doing their job properly, they will understand any (high-level) risks associated to operational tasks” says Nolan.

A CISO aligns the information security strategy of an organisation with its business goals and initiatives. That makes the CISO’s function more strategic, which is why it needs to be seen out of day-to-day security operations. Merv Ah-Young of Telstra also feels that the evolving role of CISO is about setting/establishing the strategic direction of the organisation’s information security program. “In order to be an effective strategist, the CISO has to demonstrate the traits of a leader, team-player, excellent communicator, and other traits gained from years’ of experience in the management role. The CISO needs to be a strategic thinker and should have a good business sense.

“CISO must be able to listen to business units and develop a clear understanding of the business. Staying aloof or keeping a righteous view of security is a sure sign of disaster,” says Hendricks. It is clearly a visible trend that the CISO is evolving as an IT security policy leader. The CISO’s responsibilities involve educating the entire C-level corporate executives to help ensure adequate funding for information security.

The ability of the CISO to maintain good relationships with emergency response teams and risk leaders ensures a secured working environment for any organisation. Many global and large local companies today have a CISO or the equivalent of that position. “The CISO role has evolved in recent years from a technical position dealing with perimeter security and related activities to a position of state IT strategy and policy leader,” says Salvi of HDFC Bank.

As a result, there has been a growing appreciation for the value of the CISO’s enterprise-wide view and ability to harmonise IT security policies and practices. Beyond recognition Despite their growing clout in the organisations, CISOs face numerous challenges. And one of the major challenges is the reporting structure. Most CISOs do not report directly to the top management. Various levels of hierarchies continue to interfere with CISO’s efforts.

In most organisations the security framework is conservatively focused on regulatory compliance and paperwork rather than on real risk management. “Most companies have CISO reporting in to CIO. Only some have direct reporting to the executive committee or the board. It is usually the CIO who has an access to boardroom to discuss agenda/strategy on IT and security,” observes Evalueserve’s Jain.

Salvi candidly accepts that CISOs in India have not reached the boardroom yet. “I don’t think there is a need to get inside the boardroom, but the problem will get resolved if the CISO reports into someone else than the IT head; it could be the Risk Head,” he argues.

Another major challenge is shrinking corporate budgets. Security budgets are also showing deep cuts in its cost allocation. “These reduced budgets have fuelled attacks, vulnerabilities and risk. The industry has seen more attacks in the past one year and makes us to believe that there is connectivity between the two,” warns Shiva Shankar. “CFOs have become more stringent these days as the world believes that the slowdown is due to mismanagement of the corporate resources. This loads up a lot of weight on the shoulders of a CISO as his investments and return is often unquantifiable,” he adds.

“My experience suggests that CISOs are challenged with little or no freedom of assertive opinion. Like for other organisational leaders, you don’t have the space or allowance to speak out even though you could have solution,” says Paananen. Amidst these challenges the evolution of CISO doesn’t stop short of the target. It’s a fact that the CISO, which was a rarity a decade ago, has become more pervasive in today’s world. No doubt the role of CISO is vital today, but it will become even more important and evolved as systems and data storage proliferates and identity theft and privacy invasion rises.