In a corporation, the board is ultimately accountable to the shareholders for managing risks, including cybersecurity and privacy risk. Therefore, the need to address cybersecurity and privacy risk is generally accepted. However, there is often a lack of clarity over the lines of responsibility and accountability as they roll up to the board.
Since the infamous Target breach in 2013, shareholder lawsuits have increasingly held Board members responsible for breach of their fiduciary responsibility for failing to take reasonable protective actions preceding a data breach.
Today, board members should know how data security & privacy investments are essential for public confidence. In an ideal scenario, the board defines the goals for an effective cybersecurity and privacy governance program through policy and oversight. Then, they must assign someone accountable for that program's budgeting, execution and reporting, often the Chief Information Security Officer (CISO).
The CISO's role is to work with leadership to agree on acceptable levels of risk for the organization. They are then accountable to the board for establishing and maintaining a corporate-wide information security management program to protect information assets.
There are several reasons why CISO roles and responsibilities are becoming a critical issue within enterprises. The increasing risk of data and system compromise, regulatory compliance, the multinational aspects of information traveling across borders, emerging technology, and the demand for external auditor reports have elevated the CISO position to be a hot topic of discussion among the board and senior executives.
The CISO role evolves from a strict technology focus to a process and business focus.
Traditionally, the CISO position evolved from the IT environment where IT technologists, by default, were responsible for the information system's IT security fundamentals. Generally, IT technologists have lacked visibility into the entire business transitions of the organization.
Things are transforming the CISO role from the technical to the business side based on the need to report complex requirements in plain business language to the board. For example, the security and privacy policies need to be understood by the board, which is accountable for ensuring that they are appropriate.
CISOs face the challenge of justifying the approval of the cybersecurity budget, which can be challenging to explain within an organization. The cybersecurity portfolio solution requires a much shorter span of periodic evaluation than the general IT portfolio solution. Security is dynamic and changes based on new threats, incidents, and regulations.
About Truvantis
A virtual CISO (vCISO) service can help bridge the gap when a company is between CISOs or a permanent solution. Truvantis offers world-class vCISO services customized to the scope and objectives of your organization. At Truvantis, our vCISO service is not a one-size-fits-all solution. Instead, we take a personalized approach to your unique business situation and cybersecurity requirements.
Truvantis® is a cybersecurity consulting organization providing best-in-class cybersecurity services to secure your organization's infrastructure, data, operations and products. We specialize in helping our customers improve their cybersecurity posture by implementing, testing, auditing and operating information security programs. Contact us today!