Chief information security officers: Good news and bad news
The good news is that companies are actually hiring security executives but the bad news is that many still consider them glorified firewall administrators buried in a organization.
According to ESG Research, 77 percent of large organizations ( 1,000 or more employees) employ a chief information security officer (CISO), up from 63 percent in 2005. ESG also found that more companies also hired chief compliance officers, chief privacy officers and chief risk officers in this two-year period as well. This data demonstrates that CEOs and board members are willing to throw money and talent at creating real operations around security, compliance, governance and IT risk.
Do these numbers mean that CISOs are becoming more strategic? I wouldn't go that far just yet--here's why. I recently had lunch with a very seasoned security professional who has held the CISO title several times and is currently looking for his next position. My friend told me about employment discussions he has had with several well-known companies. One multibillion dollar firm had the CISO position four levels down from the CIO. At another company, the most senior security professional was a senior director. My friend also described a situation where the VP of networking with little actual security experience was given the CISO title. In spite of his stellar resume, this firm wanted to bring him in as a direct report to its new and inexperienced security executive.
So, the good news is that companies are actually hiring security executives but the bad news is that many still consider them glorified firewall administrators buried in the organization. How will this mismatch help to actually improve security?
Lots of people realize they need to lose weight so they join health clubs and never actually workout. Think of the CISO as the organizational equivalent of the health club here.
I'm often quoted as saying that information security is far worse than people think--this is one example of why I believe this to be true. If the organizations that collect our taxes, treat our illnesses, invest our money, and sell us goods/services consider information security as a low-level necessary evil, we are all in big trouble.