I think we are all familiar with the popular axiom, “It’s not IF you get compromised, it’s WHEN you get compromised.” I’m also pretty sure we all know that IT security is no longer viewed purely as an operational concern but as a significant contributor to business risk. As a result of this, IT security is quickly moving up the ladder on the boardroom agenda. Yesterday’s chief information security officer (CISO) mainly focused on technology – they were a member of the CIO's senior management team, often considered an IT asset, and asked to attend board meetings only to explain why the company was headlining in the national press. Today’s CISO is more likely to report to, or at least have a dotted line into, the CFO. They are commonly recognized as a business asset, definitely more focused on business risk, and a regular contributor at board-level meetings. For me, it’s not as important to whom the CISO now reports to or within which business line they now reside. It is, however, extremely important that the business recognizes them as a valuable business asset and an important member of the business risk management team. That said, I still believe there is much to be done. Many CISOs still struggle to communicate in the business language that board members understand, and many board members lack the technical savvy they require to fully appreciate the level of cyber-related risk to which the business might be exposed. As a result, I believe it’s the responsibility of the CISO to drive engagement with the board and to ensure the terminology of cyber-security and cyber-risk is translated into a language the board can understand. Good engagement and communication between the board and the CISO are crucial if an organization is to effectively manage their business risks while still taking maximum advantage of the business opportunities cyberspace can bring. I’ve heard many C-level and senior executives suggest it will be 10 years before we see the first CISO take up a permanent position in the boardroom. I’m more optimistic... five years will probably be all it takes, but I guess only time will tell. Cyber criminals and cyber attacks are a growing pressure on almost all businesses. Well, environmental pressure drives evolution, and we like evolution. For insight into some of the challenges facing CISOs today, please read our "Voice of the CISO" article series:
