Today, CIOs and CISOs are expected to be responsible for myriad compliances coming an organization's way
Three years back, when Target CIO Beth Jacob resigned from her position following a massive data breach, it was hailed as an exemplary step. But when Equifax CIO David Webb and CSO Susan Mauldin ‘retired’ after the recent data breach, no eyelids were batted.
The CIO and CISO have come to be recognized as being truly responsible for the safe upkeep of data within an organization and a breach is being seen as their failure. Numerous regulations, not the least of which is stringent data protection rules, are making this responsibility more and more critical. Interestingly, a section of the media has come out with questions on why the CEO did not resign and the informal opinion is that the CIOs and CISOs were made the scapegoats. In other words, the old joke about a CISO being hired because the organization needs a sacrificial goat in case of some major incident may not be a joke at all.
Without getting too much into that debate, let us look at the future. Today, in every single business process, right from sourcing of material to production, hiring to marketing, technology is used heavily and lots of data are being handled, processed and generated. It involves multiple people. Increasingly, even more and more processes are being automated, making them vulnerable to incidents. Also, as newer technologies start changing the way things work fundamentally, more and more regulations are coming to ensure that interests of various parties such as customers get protected. And by default, CIO/CISO is being asked to comply with the regulations.
Does it mean that any failure anywhere that involves technology will be seen as failure of CIO or any data breach will be seen as failure of CISO? Nothing wrong as such in that stance provided the internal processes (and power structure) are designed that way and the CIO and CISO are given enough resources to effectively carry out the role. Today, their responsibilities have grown manifold but the resources are allocated to them as if they are only the executioners.
This must change.
Read our Cover Story on: Are You Ready For A Data Protection Regime?