Having a CISO In Place Is No Longer An Option—It's a Business Reality

Posted on by Tony Kontzer

Talk about your double-edged swords.

The fact that American companies continue to bring CISOs on board is evidence that IT security is rapidly evolving into an ever-more-important component of business success in the 21st century. But it also serves as the latest reminder of how far Corporate America has to go in fully grasping just how important protecting customer data and safeguarding consumer privacy is.

That it's taking some companies this long to bring a CISO on board is somewhat astounding. The fact that some of the biggest breaches in recent years hit consumer brands such as Yahoo, Target, Anthem and Home Depot should have sent every company that's responsible for large quantities of consumer data running to hire qualified CISOs.

Yet despite the steady flow of breaches, there are still companies out there lacking security generals. And this, despite the very real possibility that that there are many qualified candidates looking for CISO jobs. It's almost as if the business world is echoing the thinking of many consumers who do little to protect their own data, effectively joining the tone-deaf chorus of denial that causes them to chant "it couldn't happen to me."

Make no mistake: It can happen to you. No, make that it will happen to you at some point. It's only a matter of when, not if.

Admittedly, the notion that the market is flooded with qualified CISO types who can't find jobs flies in the face of everything we hear about the shortage of security talent. There is a seemingly constant cry that companies can't find experienced security professionals at all levels, much less in the leadership ranks. But the idea that there are any top security minds out there struggling to hook up with one of the many companies that lack clear security leadership is enough to make one's head spin.

And let's face it: every time we learn that a name-brand company has just hired its first CISO, we should remember that there are still many such organizations that lack strong information security leadership. It almost makes one want to make a point of paying for everything with cash.

On the plus side, there are signs that awareness of information security as a mission critical consideration is on the rise in the C-Suite. But even in studies like this one from Protiviti, there are mixed messages. Yes, boards are growing increasingly interested and involved in the topic of security, and that's a good thing. But the fact that a third of companies can now claim that their top executives are engaged in the topic of security hardly seems like a reason to celebrate.

Think about that: Two-thirds of C-Suites still don’t get it. That's an alarming number. And a closer look at Protiviti's research indicates that companies whose boards are so engaged are nearly three times as likely to have a clear understanding of what the "crown jewels" of their data reservoirs are compared to those companies whose boards are still asleep at the switch.

Stepping back, it's important to give those who are dipping their toes into the CISO hiring waters some credit. Better late than never, as the saying goes. Until now, these companies were among the Walking Dead, part of a sea of companies waiting for the other shoe to drop. Today, however, they are among the upper echelon of corporations that have made an executive-level commitment to ensuring that security and privacy are top day-to-day priorities. It's a select group that's growing every day, but we still have a long way to go before it's even a simple majority of American corporations.

Which brings us to yet another double-edged sword.

We should applaud those companies for taking customer data so seriously, and for ensuring that a qualified executive is overseeing a critical part of doing business in this era of rapid technological evolution.

But we should at the same time be admonishing the many corporations, whoever they are, who are still floundering on this front, either refusing to give up the "it couldn't happen to me" mantra, or even worse, arrogantly believing they've taken all the necessary steps to protect their customers.

Those companies need to brush up on their Alice in Wonderland concepts. In Lewis Carroll's timeless classic, the Mad Hatter and March Hare offer Alice more tea, and noting that she hasn't had any yet, Alice declares, "I couldn't possibly have more."

To which the Mad Hatter responds, "Oh, you can always have more. You couldn't possibly have less."

In other words, to those organizations who haven't hired a CISO yet: The time is now.

Tony Kontzer

, RSA Conference

Business Perspectives

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community