CISO the Voice for Information Security

Page 1

MARCH 2013 | THE ECONOMIC UPDATE

IT

CISO

The Voice for Information Security

Business leaders have come to realise that their organisations’ dependency on information technology (I.T.) is now more prevalent than ever argues Donald Tabone, as data and information have become core assets without which an organisation cannot survive.

Donald Tabone is an Associate Director at KPMG in Malta and Computer Forensics lecturer. Mr Tabone joined KPMG with over 15 years experience in the field of information technology during which time he has held several technical handson and managerial positions with both foreign and local organisations. Besides holding a number of certifications in information security and computer forensics, Mr Tabone has an honours degree in computing and information systems holding a Masters in Law in IT and Telecommunications from the University of Strathclyde.

H

owever the risks associated with I.T. are not always appropriately recognised and often not addressed in a holistic manner. The lack of appreciation of such risks by some business leaders is in fact prompting organisations to assign the responsibility of information security to I.T. departments who are in effect in conflict when they attempt to balance the need to open up systems for operational and other uses, versus securing systems and data from misuse. Furthermore, people in I.T. departments are often more focused on securing technology rather than securing data and information! Over the past few years, the large number of high profile organisations that have had their systems compromised by hacker groups such as Anonymous, has made businesses worldwide recognise the need to step up their information security efforts. It has also become critical for business leaders to supplement their core competencies and experience with a good understanding of the information security risks that their organisations inevitably face. The reason is that all facets of an organisation make use of information, and have major dependencies on such information and on the I.T. that holds and processes that information. With this in mind, the role of the Chief Information Security Officer (CISO) is to provide a voice at the highest levels of an organisation specifically to give direction and to define strategies for the reduction of reputational, financial and regulatory risks that come from weak information security. The role of the CISO brings with it a number of significant challenges and responsibilities including the alignment of new (information security) technologies with the business strategy by translating business and regulatory requirements to policy, technical standards and controls. This alignment also brings with it a better balance of risk, priorities and the associated trade-offs. There are however other challenges for such a role to be adopted by organisations – the most important of which relate to the human element. The first refers to organisational cultures which often act as barriers to the introduction of such a role. Such barriers highlight the importance of consensus and action by the business leaders in order to instil a security mindset across the organisation and to implement distinct roles that segregate information security from I.T. departments. The second concerns the definition of the required skill-set that such a role demands. Together with the technical abilities, the individual taking on the CISO

Article written for: The Economic Update by Donald Tabone Associate Director at KPMG in Malta

The role of the CISO brings with it a number of significant challenges and responsibilities including the alignment of new (information security) technologies with the business strategy by translating business and regulatory requirements to policy, technical standards and controls. role must be capable of understanding the relevant business issues and transpose them into a technical definition. In this respect the CISO would need to strike the right balance between security and usability without losing sight of the business / technical alignment. It is imperative that business leaders recognise the importance of data and information for the effective running of their organisations, and treat such data and information as key corporate assets that need to be protected. Business leaders have no choice but to assume responsibility for such digital assets and once this concept is ingrained in the minds of all executives it positions CISOs as trusted advisors to the business leaders. The sheer volume of digital data that is today captured and generated by most organisations creates huge challenges for the design and implementation of such protection and the CISO therefore has a critical role to assist with protecting value. The difficulty is in the placement of the CISO within the organisational structures and this will certainly vary from one business to another, suggesting that the role is very likely to evolve as the risks associated with information and technology continue to evolve and increase. TEU

www.maltaeconomicupdate.com

| 41

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.