CISO reporting to board of directors: Myth or for real?

By Dhwani Pandya, Principal Correspondent 23 Nov 2009 | SearchSecurity.in

Enterprise IT tips and expert advice Digg This!     StumbleUpon     Del.icio.us

The chief information security officer (CISO) designation is still a rarity — limited to industries like the banking, financial services and insurance (BFSI) vertical, telecom, and business process outsourcing (BPO). According to Vishal Salvi, the CISO of HDFC Bank, these industries with mature information security functions are already experiencing a shift, wherein CISOs have started to report outside IT.

According to Captain Felix Mohan, the CISO of Bharti Airtel Ltd., there is a growing global trend of CISOs reporting outside the IT function. On this front, Mohan refers to analyst firm Gartner's studies which estimate that 30% of CISOs report outside IT. CISO reporting structure in certain Indian organizations have been modified, such that the CISO reports to the board of directors or the CEO.

As an example, Salvi reports to HDFC Bank's executive director of risk, whereas Mohan reports to Bharti Airtel's information security steering committee (an apex security body comprising of functional directors and Airtel management board members). On the administrative reporting front, Mohan reports to the director of technology services and customer service (also a board member).

Can we assume that we will soon witness a trend of Indian CISOs reporting to the board of directors or CEOs? Most CISOs we spoke to believe that CISOs reporting directly to the board of directors is a rarity. "CISOs reporting to the organization's head of risk management is definitely a trend," says Sameer Ratolikar, the CISO of Bank of India, who follows this reporting pattern.

Although the information security function should be independent of IT, it should have very strong communication links with the technology team. Else there is a risk of being isolated.

Today, the risk function in many Indian organizations covers business as well as IT risks. This reporting pattern helps information security departments to derive more synergy and functional knowledge from the risk function, believes Salvi.

Whether it is risk or any other function, the trend of CISOs reporting outside IT is on the rise. Concerns about possible conflicts of interest between IT and information security departments are driving this trend. According to Mohan, if information security personnel report to the IT team, there may be a loss of segregation in terms of duties and control. "In such cases, the CISO will find it difficult to point out gaps in IT, which are tantamount to pointing out his reporting manager's faults. By making the CISO report outside IT, it's possible to avoid such situations."

Salvi highlights four aspects to be kept in mind, while deciding a CISO's reporting pattern:

(a) The CISO should be seen as a strategic role.

(b) He must be at a leadership level.

(c) The CISO should be independent of IT.

(d) He should report to a very senior person in the organization, who has strong hold within the organization.

When a CISO becomes independent of IT, he comes out of his shell. According to the CISO of a leading Indian BPO, this widens the CISO's ability to think about security from an organizational perspective than just IT. Giving his own example, Mohan explains, "My role involves activities across a 360 degree perspective of security, which encompasses information security (as contrasted with IT security, its subset), business continuity, compliance, safety and physical security."

Independence from IT also gives tremendous sponsorship to information security. "It gives us a bigger canvas to work, on as well as empowerment to bring about change. In case of conflict of interests, you are able to put forth your point of view more assertively, and your department gains more respect," says Salvi. In operational IT implementations, information security generally gets lesser priority than a rapid project rollout. "In such cases, the CISO's different reporting structure enables him to lay down a good process to closely view security," explains Ratolikar.

Does this mean that CISO's reporting has to be changed in order to empower him? Not necessarily. "Irrespective of the reporting pattern, if a CISO is expected to limit himself only to day-to-day operational tasks, instead of assuming a larger responsibility for enterprise-wide coordination of security and risk management, he will not be able to usher in improvement," says Mohan.

According to Salvi, although the information security function should be independent of IT, it should have very strong communication links with the technology team. "There is a risk of being isolated if you are not a good leader or can't communicate well," says Salvi. The IT department should also understand that an independent security function is required for overall business improvement.

The change in reporting pattern may create ego hassles between the CIO and CISO. However, the CISOs whom we spoke to, believe that while differences of opinion are possible, ego hassles arise more due to personal bias — not due to functional or reporting structures.

Traditionally, information security budgets have always been defined as a percentage (or part) of the total IT budget. It is yet to be seen whether information security budgets increase and/or continue to be a part of IT budget after the change in reporting structures.

Salvi feels that there is no need to spend time and effort to segregate and make a separate security budget. "There is no issue as long as information security budgetary allocations are in accordance with the annual security operating plan prepared by the CISO," says Mohan. As far as an increase in security budget is concerned, Salvi feels that this cannot be held as a benchmark for security programs.

Tags: Business compliance management,  Enterprise risk management strategies,  Incident response management best practices,  Information Security Career Advisor,  Risk Management Strategies,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Business compliance management SIEM systems streamline compliance processes, offer security benefits Information security awareness mantras from the Apeejay campaign Data classification as an insurance to protect information Preventing password fatigue with single sign-on (SSO) authentication New ISO 31000 risk management standard receives good early reviews The CISO role's keystones: Technology, business and risk PCI DSS checklist: Mistakes and problem areas to avoid How to choose online data backup services for data protection Protecting enterprise networks from new mobile application downloads Best practices to secure wireless networks Enterprise risk management strategies SIEM systems streamline compliance processes, offer security benefits Information security awareness mantras from the Apeejay campaign Microsoft extends SDL program, adds Agile development template What to do with network penetration test results Data classification as an insurance to protect information Preventing password fatigue with single sign-on (SSO) authentication New ISO 31000 risk management standard receives good early reviews The CISO role's keystones: Technology, business and risk PCI DSS checklist: Mistakes and problem areas to avoid How to choose online data backup services for data protection Incident response management best practices SIEM systems streamline compliance processes, offer security benefits First step in forensics: Create a bootable Windows environment CD Nishith Desai Associates keeps business risk at bay with infosec Managed security service for risk management: The Kotak Mahindra story Best practices to tackle (small) botnets Business Model for Information Security: Security right the first time 9 ways to improve application security after an incident Online IT risk management strategies that drive Ticketvala.com CIRT is an essential security strategy for every Indian organization Buffer overflow tutorial: How to find vulnerabilities, prevent attacks

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary knowledge process outsourcing (KPO)  (SearchSecurityIN.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary