 |
 Back to 2005 Press Releases
|
Gartner Highlights the Evolving Role of CISO in the New Security Order |
 |
| By 2008, 65 percent of the Global 2000 will establish a chief information security office |
Egham, UK, September 14, 2005 - Gartner today highlighted the increasing need for companies to invest in the development of comprehensive information security programmes. Analysts predict that by 2008, 65 percent of the Global 2000 will operate a chief information security office for the centralised management of such programmes. Furthermore, as security becomes an increasingly essential element of a company's risk management strategy, Gartner foresees that a growing number of security experts will step into a risk management role.
According to Paul Proctor, research vice president within Gartner's Information Security Group, "The bigger the organisation, the greater the level of external connectivity, and the more heavily IT dependent it is, the more complex the digital risk environment becomes." Mr Proctor said that large organisations thrive by having a developed understanding of risk, and by accepting it when it offers a business advantage. "Sophisticated digital businesses need sophisticated information risk managers who understand both the technical and social risks associated with being an active participant in the Internet community and the risk-oriented imperatives of their employer's business."
Consequently, more and more organisations are appointing a Chief Information Security Officer (CISO) who has decreasing responsibility for day-to-day security operations, and a greater level of participation in strategic business decisions. The role of the CISO is particularly pertinent to many European companies which tend to be less centralised than their North American counterparts. As a result, the CISO organisation has a pivotal role to play in establishing a security policy framework that can be utilised across the wider business.
Mr Proctor tracked the evolution of the CISO role over the past decade explaining that ten years ago, the typical information security tasks originated predominately from the operations group. "Identity management, host security, and perimeter security have changed in sophistication over the last decade, but they have not changed in significance. Today, there exists an arms-race of technology requiring organisations to make educated decisions regarding appropriate protection for their organisations."
Over the same ten years, and increasingly over the last two to five years, the emphasis within the information security space has become more strategic, especially at the very largest corporate and government organisations. "The ability to determine what constitutes risk, and the requirement to report that risk to executive decision makers, can be a highly political activity requiring excellent written and oral communication skills with a good knowledge of business. Generally, these skills have been lacking in traditional technically-oriented information security specialists," Mr Proctor added.
Gartner's research shows that increasingly today, information security is being given greater independence and reporting higher in the organization. Through either a dotted line report to a Chief Financial Officer (CFO) or Chief Risk Officer (CRO), or even as a direct report, the CISO has a reporting mechanism outside of the IT department. Especially at highly-regulated organisations, this is viewed as an important governance mechanism. "Finally senior management is recognising that the CISO is able to provide a more realistic picture of IT risk when not subjected to the pressures of accommodating the IT agenda," Mr Proctor said. "The days of security being handled by the 'network person' who did security in their spare time are over and increasingly we are seeing seasoned professionals with real business experience and business school qualifications stepping into the security space."
At the same time, business leaders are coming to terms with the hard facts about security:
- Security cannot be achieved by technology alone, it is a core part of the culture
- As such it requires cultural, behavioural, procedural and technical change
- 100 percent security is impossible - the goal is appropriate security investment
- If you cannot demonstrate appropriate security, your clients will go elsewhere
However, whilst the best organisations have matured their security process and are focusing on improving best practice, this is probably less than five percent of all organisations. Gartner believes that the majority of organisations are still in what it calls the 'awareness phase'; that is they are still establishing, or in some cases re-establishing, their security team and developing new policies.
Gartner says that an effective CISO can be instrumental in moving an organisation to the next security stage and ultimately towards operations excellence.
Information Security Model
When organising their security processes, organisations need to know where information security and business continuity functions sit. Gartner counsels that there is no 'one size fits all' and advises businesses to take a broad view of information security, encompassing the technical and operational aspects and the strategic, planning and management side. Furthermore, there is increasing interest in integrating the information security and physical security departments, although Gartner's advice is to leave these groups as separate entities who work together as needed.
Gartner recognises that many organisations in Europe have not yet created the role of the CISO. However, in all likelihood they will have, or at least should be considering, appointing a director or chief of security who will play an increasingly business-focused role. Gartner predicts that it will be a new breed of security expert who will be trusted to protect the organisation of the future, and in many companies, this person will be given the title of the Risk Management Officer (RMO).
Mr Proctor describes the Risk Management Officer of tomorrow as a trusted and fully integrated member of the executive team who has excellent communication and project management skills and an ability to balance strategic, tactical, and technical requirements. "The role of the RMO will be to facilitate the cultural changes necessary to guide operations away from their strangle hold on security decisions while guiding reluctant executives toward their responsibility to own residual risk decisions," said Mr Proctor. "Equally at ease with finance as firewalls, the RMO's strength will lie in the ability to have whole conversations about security and risk management without discussing technology."
Mr Proctor concluded by outlining six key recommendations for organisations intent on securing the future of their business:
- Establish a security officer position and hire someone with good communications skills and an understanding of the organisation's business.
- Develop a process-oriented security programme.
- Assign ownership and accountability for the risk management function minimizing conflicts of interest and separations of duties issues.
- Develop a continuous risk assessment process.
- Continuously monitor, measure and report security posture to management.
- Build greater levels of accountability, transparency and measurability into security controls.
Press Contact:
To speak to a Gartner spokesperson please contact Bite Communications on Tel: +44 (0) 20 8834 3508 or email: gartner@bitepr.com.
|
About Gartner:
Gartner, Inc. is the leading provider of research and analysis on the global information technology industry. Gartner serves more than 10,000 clients, including chief information officers and other senior IT executives in corporations and government agencies, as well as technology companies and the investment community. The Company focuses on delivering objective, in-depth analysis and actionable advice to enable clients to make more informed business and technology decisions. The Company's businesses consist of Research and Events for IT professionals; Gartner Executive Programs, membership programs and peer networking services; and Gartner Consulting, customized engagements with a specific emphasis on outsourcing and IT management. Founded in 1979, Gartner is headquartered in Stamford, Connecticut, and has over 3,900 associates, including more than 1,100 research analysts and consultants, in more than 75 locations worldwide. For more information,
visit www.gartner.com.
|
|
|
|
|
