Chief Information Security Officer: A New Spin on an Old Job

Ralph DeFrangesco

In a recent survey of over 7,000 CEOs, CIOs, CFOs, CISOs and CSOs by Price Waterhouse Coopers, 85 percent of respondents said that they now have a security executive, a Chief Information Security Officer. This number was up from last year, when 56 percent said they had one and in 2006, when it was only 43 percent. This is a trend that is clearly on the rise. Also not surprisingly, IT security spending will remain strong, with 63 percent saying that spending will increase, and only 12 percent planning to decrease it. There is also an interesting discussion on the responsibility of a CISO versus a Chief Risk Officer (CRO) going on in the IT Business Edge Knowledge Network that you should check out.


What is driving organizations to increase budgets and hire security officers? According to PWC, it's an increased risk environment, regulations, and additional industry standards. This boils down to organizations wanting to enhance their risk, regulatory, and compliance positions. Organizations are tired of hearing that they are not compliant or not meeting increasing regulatory requirements. They are under pressure by their board of directors, stockholders, and the users to finally become compliant.


Security positions have existed in organizations in the past typically as a Director of IT Security or even VP of Security. In almost all cases, these positions have reported into the CIO. The new spin here is that now the majority of CISOs hired are reporting into the CEO or the board of directors. Organizations are saying that security is a corporate concern and they are willing to give these security execs the authority and funding to be successful. And if they are successful, then the organization will be successful.

Add Comment      Leave a comment on this blog post
Nov 2, 2009 4:41 AM The Garland Group The Garland Group  says:

"Organizations are saying that security is a corporate concern..."  Love that! Everyone: every department, every business unit, has an impact on how secure or not an organization is - at the end of the day it affects every individual in the enterprise.  More importantly the organizations sentiment to security and culture comes from the head; whether it be the CEO or board. And with buy in from top management we're already taking security to the next level.

Nov 3, 2009 9:16 AM Jeff Goldman Jeff Goldman  says:

As IT budgets shrink in other areas such as with app development personnel, due to outsourcing, and server hardware, due to the adoption of virtual and the cloud, and we this is compounded with a shrinking economy, businesses are being hit with a onslaught of compliance requirements. This is not to say these requirements are bad in the least, it is just the opposite. The need to protect data is and has been a growing concern and will not ease up in the future.

It is only logical that a captain be assigned to steer the ship of information security/risk compliance departments. It has become pertinent that businesses comply or their business can become greatly negatively impacted. For example, PCI requires businesses that handle credit card information comply with their set of standards or the business will be fined, along with responsible for any losses that occur as a result of their lack of compliance, or possibly unable to do business with the credit card companies all together. Businesses can't afford any of this nor do they desire the reputation of not being secure. Who would do business with a company that is not securely managing your personal information? This focus, brought on by the reality of identity theft, is a huge concern.

As business changes in our "new economy" and our baby boomers retire, the CEOs of today are younger and simply more computer savvy and aware and this is why we see a shift in the chain of command from the popular CIO funneling all IT business to the CEO only. It is the CEO€™s job to understand the current business environment and more and more that environment is all about doing business securely. Thank God.

Nov 30, 2013 5:28 PM ashad hossain ashad hossain  says:
whether it be the CEO or board. And with buy in from top management we're already taking security to the next level. Reply Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.