According to a white paper from IT community Wisegate, forward-thinking organizations increasingly understand the need for more pervasive risk-awareness – and are far more focused on enterprise-wide education, collaboration and communications. These organizations are likely to employ CISOs who can take systemic approaches to security issues that span legal, business operations, finance and human resources.
As part of this shift in CISO responsibilities, organizations are spending more on risk management. A recent Wisegate poll found that while 60% of Wisegate members said they expected no change in spending levels, a full 40% said they expected increase spending on security/risk management. No members expected a decline in spending on security/risk management.
When asked what is driving a move to a risk-based approach, Wisegate members cited compliance requirements as the primary reason. However, that’s just a starting point – the second reason is simply, "general threat landscape." One CISO told Wisegate that “having patient information, HIPAA and HITECH are daily conversations around here. But having management understand the value of going beyond these compliance requirements to reduce our overall operations risk was invaluable to the continued support of our security office.”
Wisegate also recently carried out a roundtable discussion it said, where CISOs across industries confirmed their shifting role and offered a number of major takeaways for CISOs and other IT security professionals grappling with increasing responsibility.
One of those discoveries is that CISOs are being asked to take responsibility for risk management and privacy policy in addition to information security, which offers a fresh set of challenges. For instance, with dual responsibility comes two bosses: CISOs are increasingly reporting to the chief risk officer or chief compliance officer in addition to the CIO.
“However, there is a tension between risk management, which involves balancing risk with resources, with implementing an information security program, which focuses on securing information,” the organization noted. “There is also a tension between the need to identify risks an enterprise confronts and the legal requirement to have plausible deniability if a breach occurs. CISOs will need to deal with these tensions, as well as others, in order to carry out their increased responsibilities successfully.”
As CISOs assume responsibility for risk management, Wisegate recommends that they make use of risk assessment methodologies like the NIST and ISO standards.
“Some useful risk management tools cited by Wisegate members include HP OpenPages, Archer, Rsam, Oracle’s GRC product, Modulo, LockPath, and Third Defense, as well as less comprehensive tools such as Excel and SharePoint,” the white paper said.
Bottom line, “from the Wisegate roundtable discussion, it is apparent that CISOs will need skills that go far beyond information security. They are being asked to take on a lot more responsibility for the security of their organization, including risk management and privacy,” Wisegate concluded. “To be successful, CISO will need to master C-level skills, such as communication, business, and leadership skills, in addition to their IT administration knowledge.”