Governance, communication, collaboration, risk management practices…they sound very different from identity management, authentication, endpoint protection, SIEM…
Traditionally, corporate IT departments have been the custodians of anything to do with data. The top executives were dependent on them to get data, analyze it, and even to make sense of it.
As the importance of data grew in the business, businesses started hiring specialist data scientists. Today, it is an established practice for large and medium organizations to have a separate data team.
Ditto for Chief Digital Officers. When the posts were envisaged, the IT executives were the top claimants for them, with some challenge from the marketers who thought they understood digital media really well. In hindsight, we see, it is mostly core business people who occupy those roles.
Turn to information security. As the profile of cyber risks grows in organizations—cyber risks being counted among top five business risks (see the cover story)—there are similar apprehensions. Will it be taken away from the people who have traditionally handled it? Will trained risk professionals with business background take over?
Nah, it is not happening. Most research show that CIOs and CISOs are still the top custodians and decision makers when it comes to cybersecurity. The cover story in this issue highlights some of those.
What explains the trend? Highly specialized nature of jobs, lack of manpower who can do that effectively? Many reasons, let us keep that discussion for another day.
It is tough—if not bad—news. The CISOs and CIOs get to keep this responsibility with them for the time being, not because they seem to be the perfect choice, but because they are perceived to be the best choice among all available options.
They have to go a long way to be able to do that effectively. What is needed is a change in attitude and a change in planning. We focus here on the second part. Changing attitude is a big challenge and we promise to do a research-based story on that in the near future.
Even when it comes to planning, you can clearly see it is not so much about tech. Governance, communication, collaboration, risk management practices—these are some of the suggested focus areas. They sound very different from identity management, authentication, endpoint protection, SIEM…
One obvious question is: When the CISO today is expected to ensure compliance to different regulatory requirements and some companies are even toying with the idea of making CISOs the Data Protection Officers (DPO) as required by the upcoming personal data protection legislation, how can they manage all these?
From all that we have seen in business over the years, we can find a clue. And that is: not to see these as separate tasks but create an integrated approach combining tools, technologies, practices and management. Doing that is not rocket science, but stepping two steps backwards from day-to-day fire-fighting to see things in broader perspective and then think of a holistic solution is the real challenge.