Of all the lessons to be learned from Target’s woes in the aftermath of last holiday season’s massive data breach, perhaps the most important one is this: security leadership at the highest level of the corporate organization is absolutely critical.
“Whether you are a brick-and-mortar retailer like Target or the manufacturer of a digital tool like Internet explorer, nothing has a negative impact on your brand quite like a data breach,” as SC Magazine‘s James Hale observed. Unfortunately, many brands aren’t as equipped to prevent those breaches as they may think. For one thing, many don’t yet have CISOs, or don’t treat the role with the same gravity as they do other C-suite positions. It’s an issue that our Chief Trust Officer Bob West, quoted in Hale’s article, has long noted. We sat down with Bob to discuss why separating security leadership from IT is important and what organizations can do.
Many companies put security and IT under the same umbrella. Why should they be separated?
Bob West: Security has a fundamentally different mission than technology organizations. Technology organizations—the IT department—provide solutions. Security organizations, on the other hand, are there to make sure that the technology solutions are safe. Think of quality in manufacturing. You have quality organizations, and quality is an independent function that reports outside of manufacturing. If you have fundamental quality issues and quality reports to manufacturing, there are going to be times when quality gets overlooked. In the same context, security’s mission is to make sure that that the environment has the right level of risk and that the risk level is minimized to a level that makes sense for the business.
Having been in that seat, I can tell you that availability always trumps security, but if the right dialogue is going on from a security leadership perspective, the business is engaged. There’s active, continuous dialogue going on, which is where governance comes in, and governance plays a very important role.
The general counsel, compliance, technology, and business leaders must all participate in the conversation. And if the conversation is facilitated properly, then you can align security with business and technology strategy.
So should every organization have a CIO and a CISO?
Bob West: It depends on the size of the organization. If you have a 1000-person company, it may not be practical to have a CIO and a chief risk officer or CISO, so you may have whoever’s heading up technology head up security as well. But if you do that, then you also need the right governance around that to make sure that the right decisions are being made. Ultimately, the decision to accept risk or not is a business decision, and that’s where a lot of organizations get this wrong. The CISOs often end up being the ones to accept the risk for an organization.
I like to use the general counsel analogy. The general counsel exists to coach the business on what legal risks exist, but at the end of the day, it’s the business’s responsibility to accept the advice or not. The general counsel never accepts a legal risk for the organization. Unless you have profit and loss responsibility, it just makes no sense for a general counsel or a CISO to accept the risk for an organization. Security leadership at the highest level of an organization exists to provide the organization with counsel that the organization can then use to make the best decisions for its goals.