It’s official: IT security has reached the board room
There is a headline below the fold of today’s Wall Street Journal about a data company that processes financial transactions on behalf of many institutions. What caught my eye was not that the firm was flagged by the FDIC as needing improved security practices (good to see that happening proactively), but rather how the firm’s CEO has immediately responded. Three new executives have been appointed to oversee progress in the company’s security practices: Chief Audit Executive, Chief Risk Offer and a Chief Information Security Officer or CISO. This in itself is a different response than we are used to seeing; in days gone by the usual response was to bring in an external firm for a consulting engagement and then maybe the IT group would add some security expertise, but essentially the security response stayed down in the weeds.
Even more interesting about this particular firm’s response is that the three new executive positions report either to the CEO, or directly to the board of directors. They are not reporting to the CIO or somewhere else in the IT stack, they are truly line of business decision makers. These actions actually align to some of the findings in the IBM CISO Study that was recently released. The top 25% of responders to the survey were identified as “Influencers” and the notable fact about this group was how often they aligned directly with the company CEO or board.
In these types of organizations, security is seen as a business (versus technology) imperative. Security is not an ad hoc topic, but rather a regular part of business discussions and, increasingly, the culture. In fact, 60 percent of the advanced organizations named security as a regular boardroom topic, compared to only 22 percent of the least advanced organizations.
It is good to see the best practices from existing security organizations being swiftly put into action by the senior executives of a company. A great proof point that IT security clearly is a boardroom issue.