Sunday, December 6, 2009

CISO and/with IT roles; few thoughts...

CISO reporting to board of directors: Myth or for real? Has some quite interesting views on the role of CISO; certainly worth reading and discussing.

“… four aspects to be kept in mind, while deciding a CISO's reporting pattern:
(a) The CISO should be seen as a strategic role.
(b) He must be at a leadership level.
(c) The CISO should be independent of IT
(d) He should report to a very senior person in the organization, who has strong hold within the organization”

While the points above are good in general; I believe point “c” is too idealistic and actually depends on the organization dynamics. The IT & CISO roles can conflict in certain scenarios but certainly not impossible to manage.

“When a CISO becomes independent of IT, he comes out of his shell. According to the CISO of a leading Indian BPO, this widens the CISO's ability to think about security from an organizational perspective than just IT.”

One cannot presume that IT roles (I am talking about leadership roles) will so severely constrain views to the extent of being considered to be in a shell; any experienced IT pro will have the capability to avoid this state.

“if a CISO is expected to limit himself only to day-to-day operational tasks, instead of assuming a larger responsibility for enterprise-wide coordination of security and risk management, he will not be able to usher in improvement”

I disagree on this; an organization having a CISO role in the ORG chart will have a reasonably mature management systems where roles are clearly defined. If a person here is doubling up for CISO role he/she will be at a level on which their involvement in the execution of day-to-day operational tasks/transactions will be nil or at the most minimal. Of course I am in agreement with the CISO being responsible for risk management and improvements.

I play multiple roles; project management, service delivery, information security, etc… though I face tough conflicting situations regularly they are being managed effectively. 

Finally it all depends on the organization dynamics no standardizations can be applied.

Well… though off-topic this article Let a Hundred Flowers Blossom has made me re-think about standardization. Right now I am thinking about the various standardizations present on our management systems.

Posted via email from Ramki's posterous

No comments:

Post a Comment