CISOs: Does your firm need a security tsar?

Is it the CIO's remit - or is it time to bring in a specialist?

The importance of data security is obvious to all in IT. But at what point does an organisation bite the bullet with the appointment of a chief information security officer? Mark Samuels reports.

Mike Newman is an IT leader who is one step ahead of some of his executive peers. The CIO of Towergate, Europe's largest independently-owned insurance intermediary, appointed a full-time head of IT security 18 months ago as part of a higher-level strategy to prioritise the integrity of information.

"Data security simply has to be fundamental," says Newman of the decision to hire a head of information security. "As a services-based organisation, the key asset is your customer - you have a real duty to look after your assets. We need smart security guys to stop the potential exposure of data and to make sure that the corporate use of information follows best practice."

The good news is that, for the most part, technology workers recognise the importance of employing a dedicated security leader. As many as 62 per cent of IT professionals believe the most valuable governance measure an organisation can undertake with regards to data security is the appointment of a chief information security officer (CISO) or other high-level security leader, according to research from the Ponemon Institute.

But the bad news is that a duty to look after data assets is not always understood by the board. Ponemon's research shows just 14 per cent of IT professionals believe it is worth talking to the chief executive about the threats associated with a security attack.


IT professionals recognise the importance of security - but does the board?
(Photo credit: Shutterstock)

Perception gap
There is, it would appear, a chasm between IT professionals recognising the need for dedicated security management and a board that fails to understand the significance of information integrity.

In the case of Towergate, Newman says the organisation's attention was drawn to data security via the ever-increasing raft of rules and regulations that surround the financial services sector. The continual emergence of new technology provided an additional concern.

"There's now increased complexity for the business because of web-enabled software and smartphones," he says. Such complexity means many organisations will...