Successful infrastructure protection requires a combination of executive policy and security technologies. Central to security efforts is the involvement of executive management to actively seek out and tackle organizational vulnerabilities.
The recent security breach at ChoicePoint underscores the need for CISOs to have deeper insight into business processes to prevent ID theft from occurring. While there has been ongoing speculation about what caused ChoicePoint's breach, the bottom line is that security issues at the company were a direct result of failures within the customer credentialing process, as opposed to system breakdowns at the infrastructure level.
ChoicePoint had entered into a business relationship with a customer and gave it approved access to corporate databases. It was discovered that the customer misrepresented itself, and an investigation was launched.
Rich Baich, ChoicePoint's CISO, would not normally have been involved in defining sales' best practices for credentialing and fraud prevention. But this is right where Baich feels the CISO should be, and is directly involved with remediation and analysis of the situation.
In order to provide clear visibility into the security needs of the enterprise, the role of CISO must be folded into the lines of business and functional areas within the organization. Business units that previously operated without the intervention of the CISO – such as sales – require CISO involvement to set policies regarding confidential corporate data.
The successful enterprise will widen the influence of the CISO, making the role a part of business drivers – even part of the brand.