Emerging Roles: The CISO

By Nalneesh Gaur

(Back to article)

Oracle’s suit against SAP alleges that SAP stole sensitive information from its customer-support database for its JD Edwards, PeopleSoft, and Siebel applications, all recent Oracle acquisitions.

If this is true, how could Oracle’s CSO let this happen?

Oracle’s suit raises questions about the ability of large organizations to securely integrate acquisitions, protect intellectual capital, and prevent customer churn. These issues and the resulting risks fall within the purview of information risk management or IRM. IRM enables organizations to achieve business goals through the protection of organizational assets. The IRM function is typically headed by the CSO.

Many have compared IRM to insurance. Yet unlike insurance, where causes of loss are known, the IRM environment is constantly facing new vulnerabilities at an alarming rate. IRM deals with much more that IT risks and includes the information risks pertaining to all operational areas.

Organizations delegating their IRM responsibilities to their IT departments need to rethink their approach.

The strategic nature of IRM also becomes apparent when security incidents impact an organizations bottom line. In February of 2007, TJ Maxx announced a financial hit of a penny a share for costs incurred to investigate and contain the intrusion related to stolen credit cards, enhance computer security, communicate with customers, as well as technical, legal, and other fees.

The loss in shareholder value resulting from the TJ Maxx incident is clearly a business issue that deserves the attention of the senior management.

The post 9/11 era witnessed a dramatic emphasis on IRM. From an organizational perspective, the chief information cecurity officer (CISO) is a relatively new role. Various surveys indicate that only 36% of the organizations have established a CISO or a similar function.

Some organizations also have a CSO role focusing on facilities and personnel security separate from information security. The trend however is changing. More organizations are integrating the CISO and CSO responsibilities in recognition of the strong interdependency between physical security, personnel and information systems.

The IRM function is operational and strategic in nature. Therefore, it’s not uncommon for a CSO to report to the CEO or the COO. Mature organizations with established risk management functions have the CSO role reporting to the chief risk officer (CRO). The IRM reporting structure can get complicated in large global organizations where several regional or business unit CSOs report to a global CSO or CRO.

The IRM reporting structure is also a gauge for an organization’s risk appetite. Organizations with a high profile IRM reporting structure usually are more mature and regard IRM as non-negotiable item on the management agenda.

Various surveys point out the CSO typically reports to the CIO, mostly acting as the bridge between the businesses and IT organization. This reporting structure violates the segregation-of-duty (SOD) principle. The problem arises because while the CIO focuses on the most efficient use of information to achieve business objectives, the CSO needs to use the same resources to address the risks arising from the use of information and technology.

The two goals are often at odds. In this situation, a CSO reporting to the CIO may have insufficient authority to protect the organization’s information assets.

A CSO reporting to a CIO implies an organization where the IRM focus is primarily on IT security. This approach might make sense for organizations working on mission critical initiatives with a heavy IT component. In most cases, however, the CSO reporting into the IT organization can be linked to the cultural and political factors. We expect that this reporting relationship will change with more CSOs reporting outside the IT organization.

Both the CSO and the CIO roles are heavily dependent on each other. However, the CSO should regard the CIO as first amongst equals, a role to lean on for advice and fortitude. Regardless of the reporting relationships, both the CSO and CIO roles must collaborate to manage information and associated risks.

CSOs realize that perfect security is unachievable and therefore need to drive the decisions about identifying risks, its treatment and residual risks. To make such decisions, the CSO operates in conjunction with a cross-functional team which consists of the CIO, other C-level leadership, various business unit heads, and the general counsel.

Key responsibilities of a CSO include asset management, security assessments, development of a security strategy and risk management plan, certification and audit. In a nutshell, the CSO manages risks for the organization and advises senior management about risks to the business and recommends a treatment for the risk.

Businesses inherently take risks. Activities such as mergers, acquisitions and business outsourcing all provide opportunities for growth and cost savings while introducing such risks. As a result, board members and CEOs are now more aware than ever before about the need for IRM.

Combined with the inexact nature of risk management, this awareness has elevated the role of CSO. The CSO is needed to marshal strong involvement from a cross functional team who bring together their best collective experiences to manage the business risks. We expect the trend to continue resulting in the hiring of more CSOs and their placement outside the IT organization.

Nalneesh Gaur is a principal with Diamond Management and Technology Consultants.