Amid the onslaught of egregious privacy violations caused by poor enterprise security, many are asking themselves how this could happen. After all, the technology exists to build secure networks — or at least networks that are more secure than those we are expected and, in many cases required, to entrust our private information to.
It’s embarrassing to the industry as a whole when data that could be used to steal the identities of hundreds of millions of people is leaked. It’s even more embarrassing when an enterprise organization fails to carry out security tasks that a non-technical person looking after a WordPress blog knows to be commonsense: update your software!
I’m being a little unfair here: patch management is a difficult problem for large organizations. But consumers don’t care about how difficult it is to manage organizational security; they care about their security and the privacy of their data. As data leaks mount and ordinary consumers feel the bite, privacy will become a differentiating factor. Organizations that aren’t seen to protect data won’t be trusted with it — and in an information-driven economy, that would be catastrophic.
That’s why Chief Security Officers (CSO) and Chief Information Security Officers (CISO) should be independent of CIOs, have a voice in the boardroom, and the authority and budget to enforce privacy and security throughout their organization.
The role of the CSO extends beyond the IT department. CSOs are responsible for protecting the security and privacy of the business and its consumers. The CIO is responsible for protecting the projects and the interests of the IT department. These roles often come into conflict when the dictates of security best practices conflict with the perceived needs of the IT department and its projects. Budgets are unlikely to be spent on security when a CIO considers other projects to be more pressing.
What I have described is something of a caricature. Many CIOs are deeply concerned about privacy and eager to build secure networks and applications, but security goes beyond the bounds of the IT department. A CSO must have influence over other executives, operations staff, developers, and non-technical staff throughout the business — an attack is just as likely to begin with a phishing attempt against a low-level employee as it is to involve an attempt exploit outdated server software directly.
Without influence and authority, a CSO cannot operationalize security and privacy throughout the organization.
An independent CIO gives security a voice in the boardroom beyond a line item in the agenda or a short meeting on the CIOs busy schedule. If organizations are to be secure, then security considerations must be integrated into every project. An independent CSO with a strong voice can “speak truth to power” and be heard.
Making the changes necessary to put security and privacy at the heart of business operations won’t be easy, but the alternative is an erosion of trust that will fuel the rise of agile competitors who are capable of building products and services with privacy and security at their core.