CISOs: Does your firm need a security tsar?

Is it the CIO's remit - or is it time to bring in a specialist?

...those with the best security practices," says Winton, who believes organisations are better at responding to threats if they have an executive that is responsible for security. It is a belief that chimes with Brian Burton, head of IT security at Vodafone UK.

"You have to go up a couple of floors to handle the security threat. You can handle the data, lock devices and wipe information. But it's all about how your business adapts to the fact that people are now using non-standard devices," he says.

"You can't single out any particular device and you have to offer the same secure platform for multiple forms of communication. There isn't much new to do - it's about reusing your security skills to sell ideas to your own manager. It's like when someone screams in a movie and another person slaps them in the face to get them back in order."

Information integrity
The force of that slap depends on executive-level awareness. David Bason, IS director at legal firm Shoosmiths, says information integrity is critical to his organisation, which is frequently subjected to audits from banks and other financial businesses.

Increasing regulation can often be a spur to better information security for businesses

Should information security fall solely within the remit of the CIO?
(Photo credit: Shutterstock)

To ensure the necessary controls are in place, the firm has recently acquired ISO 27001 information security accreditation. Bason says organisations also need to comply with various regulatory constraints, including the Data Protection Act and the Payment Card Industry Data Security Standard, and to be clear on information retention and deletion policies.

"With fines of up to £500,000, there should be no difficulty in obtaining the boards' attention," says Bason, who also believes that best practice corporate governance should include the management of risk through a specialist committee.

Such a committee should manage the company's propensity to risk, driving task prioritisation and allocating money. The CIO must be integral to such decisions. If they are, concludes Bason, the need for a dedicated CISO is reduced.

"There is a need for a serious focus on information security, but not a need for a CISO," he says. "Data security should be part of the CIO's remit and incorporated into the overall information management strategy."

By Mark Samuels

Mark Samuels is a business journalist and editor at IT leadership organisation CIO Connect. He has written for various organisations, including the Economist Intelligence Unit, Guardian Government Computing and Times Higher Education.