I was thinking this morning about how the CISO worked and it come to my attention that even when must of the organizations ask the CISO to report to the CIO, but those the CIO knows the value of the information? If He does, then the CISO should report to the CFO, but if he doesn't then we must see it from the compliance perspective and then the CISO should report to the Compliance, Auditor manager or maybe the risk manager, or maybe in a few years we are going to see the CISO reporting to the CEO.
At the beginning of the decade, when companies were in the process of establish or creating organizations to struggle a wide range of computer security pressure, it was a widespread practice for CIO to take on the double role of CIO and CISO.
The need for information risk administration in companies, governments, enterprises or family business has never been greater and since september 11 or the financial crisis, never more perceptible. Who is the Chief/Corporate Information Security Officer (CISO)? What is the role of today’s information security cluster? Who bridges the gap among business and technologists? How can the organization be successful in the eBusiness environment?
With the years it became a good practice in the organizations to produce a new C-level administration position: a chief security officer (CSO) who would have responsibility not only for corporate information security, but also for physical security. According to a survey released in June 2009 by consulting firm PricewaterhouseCoopers, it appears that a majority of organizations now have a meeting between the security chief (either with the chief security officer or chief information security officer title), the problem becomes how often that happens more than 40% only have this meetings once a year, while other 45% have their meetings either twice or 4 times per year and only 15% have this meetings on a monthly basis
Outside the big picture difficulty of who the CISO should report to or who reins the security funds, companies must also fight with the more street-level inquiries of what happens in the occurrence of an explicit security breach or incident. When a member of staff is found to be viewing pornography or downloading sensitive financial information onto a USB device or burning it to a CD against the enterprise policy, or when a hacker is found to have infiltrated the network and stolen sensitive client information, what is the string of command and processes for responding to the incident?
The positional control of the CISO must award the power to scrutinize roughly any information at the company from an angle of understanding fortification efficacy. This must contain access to audit reports and the capacity to pressure audits, access to shield settings down to the minimum point, access to proof of various sorts, and access to all the groups within the organization and their ability to understand and report on actions. This is more often a people feedback mechanism than a technological feedback method at the CISO's level.
The moment in time has come for more companies to take information safety sincerely. Does the upper management think the same way?
No comments:
Post a Comment