CISOs: Does your firm need a security tsar?

Is it the CIO's remit - or is it time to bring in a specialist?

...continue to invest in end-point security products, such as software to counter malware on PCs, virtual machines and smartphones. According to analyst Gartner, spending on security software will exceed $16.5bn in 2010, up 11.3 per cent on 2009.

"End-points are changing and the potential exposure of an organisation's data is much greater," says Newman. "We got to the stage where we already had the basics right, such as the perimeter and virus protection, and wanted to do something about our deeper security strategy."

Tight relationship
That deeper understanding relied on a tight relationship between line-of-business executives and available resources - and finding the right IT security leader was just one important element. "Security can be a money pit; you have to act in a proportionate manner and it's not just about appointing a CISO," says Newman.

"You need a raw vertical expert responsible for security, but you also need embedded policies in every part of the business. As technologies emerge, consider their potential, evaluate the risk and get buy-in from senior executives. Have a culture that establishes the importance of customer data."

Unfortunately, creating a high level of recognition of the importance of information is not straightforward. Ashley Winton, a European technology lawyer and partner at White & Case, says there is a high degree of cynicism towards the business from technology workers.


Cynicism towards IT security threats is rife due to a lack of support from the business
(Photo credit: Shutterstock)

"Many IT professionals think their organisation does not have enough dedicated security resources," he says. "Security, they believe, is not mission-critical and their superiors are not supportive of what they're trying to do. The right policies are often not in place. Even when security policies are being put in place, they're often not working."

Cost of prevention
Winton suggests it is often hard for an organisation to justify spending on security technology and leadership until a breach occurs. Prevention, however, is always likely to be cheaper than the cure, with Ponemon saying that security breaches cost on average £64 per record in 2009. The right leadership decisions will undoubtedly reduce risks and costs.

"Companies that employ CISOs are...

By Mark Samuels

Mark Samuels is a business journalist and editor at IT leadership organisation CIO Connect. He has written for various organisations, including the Economist Intelligence Unit, Guardian Government Computing and Times Higher Education.