Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Writing on his personal blog, executive director of information security at an unnamed firm, Dr Boaz Gelbord claimed that the industry has over-hyped threats and demanded too much time and money to mitigate risk.
Companies have also bought expensive security equipment and hired lots of security staff, but this has left some companies doubting whether they need a CISO at all.
Gelbord said: “Whether your company needs a CISO is essentially a question about whether your company needs a full time executive to own and manage its security narrative. Not every company has a chief privacy officer, a chief continuity officer, a chief blogging officer (yes, that one exists).
“But if privacy, continuity, or blogging is critical to your company, you will have that CPO, CCO or CBO. It works the same with security. So how many companies actually do need a CISO?”
He further claimed that "there are still a large number of companies that need a security narrative and need a CISO to own it. For these companies, the CISO function will become even more prominent in coming years. And these CISOs are as hard as ever to find".
Gelbord pointed to the key skills for a good CISO as being someone able to have the ability to produce change, to have an understanding of how business processes and information interact, have an understanding of the technologies used in an organisation, and have an understanding of legal and compliance issues.
“These skill sets are not in and of themselves so unique - any executive in a technology driven company needs a bit of each one. The tough part is finding someone who has all four skills and is actually interested in information security. “Some people talk about chief risk officer being the next generation of the CISO function. I don't buy this. Everything a company does involves risk, and there's only one person who is ever going to be really responsible for managing all enterprise risk. That's the CEO,” said Gelbord.
“Some people talk about chief risk officer being the next generation of the CISO function. I don't buy this. Everything a company does involves risk, and there's only one person who is ever going to be really responsible for managing all enterprise risk. That's the CEO,” said Gelbord.
See original article on scmagazineuk.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.