The Role of CIOs and CISOs


Businesses of various sizes are extremely worried about information security. On a daily basis, we hear news of banks and financial institutions losing customer records, confidential information and money due to cyberattacks. Cyberattacks have increased exponentially over the last 5 years, and attack methods are becoming more sophisticated each day. On average, enterprises take about 100 days to identify an attack. It takes even more time to investigate, plug the gaps and prevent similar incidents. The goal of my recent Journal article is to help enterprises and security leaders realign the strategy of their information security teams by empowering the chief information officer (CIO) and the chief information security officer (CISO).

Effective strategies by information security drivers, such as the CIO and CISO, can fine-tune information security and the compliance needs of an organization. Many industries have invested heavily in order to meet regulatory requirements, but being compliant and being secure are 2 different things. Many compliant enterprises have been breached.

Information security needs to be a priority at the board level. CEOs should take active roles in promoting information security, as most valuable information is stored electronically, all systems and databases are online, and mobile transactions occur every minute.

CIOs’ and CISOs’ priority is to identify where sensitive information resides and how can it be protected effectively at the lowest possible cost. The security team, guided by the CISO, should approach problems in a consulting mode to solve security-related challenges in the best way for the business. Outsourcing security operations is still one of the easiest options to reduce cost and reduce risk. These decisions should always be undertaken consciously, evaluating the risk and fallback options.

Information security teams are the walls of every enterprise. An empowered CIO and CISO can create a cost effective, consistent security culture across the enterprise with the right strategies.

Read Devassy Jose Tharakan’s recent Journal article:
Protecting Information—Practical Strategies for CIOs and CISOs,” ISACA Journal, volume 3, 2016.

Devassy Jose Tharakan, CISA, ISO 27001 LA, ITIL, PMP

[ISACA Journal Author Blog]

Leave a Reply