After the roller coaster of 2010, what should be on the CISO's mind?
New threats? New security technology? New technology for everyone else?
Those topics are interesting enough,and are certainly things CISOs looked at in 2010. Yet, is there anything different?
The role of the CISO varies by enterprise, but as I talk with business managers, some generalizations apply across a range of enterprises and their CISOs.
Here are five key questions for CISOs to consider:
Are you prepared for the new regulations? Almost every heavily regulated industry experienced additional regulation in 2010. In addition, there are new regulations for legal entity type, transaction type and more. For example, banks received a bit of a holiday gift from the Basel Committee on Banking Supervision with a consultative document to update the nearly eight-year-old Sound Practices for the Management and Supervision of Operational Risk.
This contains more emphasis on information technology and outsourcing, and this will ripple through revisions, national implementations and field examinations. You and your boss/colleague who leads IT risk management need to understand regulations like these in financial services, electric utilities, health care, retail and more. Be cautious about relying on your compliance leader to tell you what is needed if that team lacks sufficient technology background.
Are you prepared for new products? Have you talked to your marketing and sales people lately? Depending on your market, they might be gearing up for new product enhancements, mobile applications, new geographic markets, new customer segments and support for additional languages. Are you ready for what is in their business plan?
Are you prepared for more mergers and acquisitions? Are you still trying to digest the last acquisition? Tough times make buying growth a popular strategy. How much “been there, done that” expertise do you and your team have in making acquisitions go smoothly? If not enough, get help!
How does IT security relate to overall IT-related business risk management? Is “IT risk management” in your institution just a way to do assessments for security purposes or is it used to achieve an end-to-end view of business process across all areas of IT-related risk and operations (change, configuration, release, energy, facilities, security, availability, recovery and more)?
Does it look at IT-related risk to achieving business value, portfolio design, investment decisions, program management and project management? If “IT risk” is still seen in a limited, internal, security and technical way, then it is time to get better.
Are you hiring and retaining the right skills to meet the above needs? IT security hiring is on an upswing. According to job search site dice.com, growth in information security jobs is outpacing overall job growth by a factor of three. This means that CISOs will have to give attention to hiring and retention as they have not needed to do in the past few years. Together, this sounds the call for more business-focused CISOs.
Together, these questions sound the call for more business-focused CISOs. While this is not new, what is new for 2011 is the intensity and focus of these factors as we navigate through a recovering economy.
Are you ready?
Brian Barnier, CGEIT, CRISC, is a principal at ValueBridge Advisors. He has worked in both business line and IT roles, and is an active volunteer with ISACA, where he worked on the development of the Risk IT framework. Contact him at firstname.lastname@example.org.