French Caldwell

A member of the Gartner Blog Network

French Caldwell
VP and Gartner Fellow
15 years at Gartner
19 years IT industry

French Caldwell is a vice president and Gartner Fellow in Gartner Research, where he leads governance, risk and compliance research. Mr. Caldwell also writes and presents on knowledge management. His research includes analysis of the impact… Read Full Bio

Coverage Areas:

Hey, Corporate Director, Who’s Your CISO?

by French Caldwell  |  March 7, 2014  |  3 Comments

Cosmo Ciso

I’ve spoken to a few corporate boards on IT governance and risk management, and I’ve one question that I always ask — but first let me clarify this Target CISO tweet with my twitter handle on it.

In an internal Gartner e-mail thread about the Target CIO resigning, I added some irony, writing:  “Another good reason to have CISO — so the CISO can resign.” Violating all manner of e-mail and twitter etiquette, my good friend and colleague Doug Laney blasted my snarkiness to the world in a tweet — thanks, Doug! I mean it — thanks — wish I’d thought to tweet it.

But it’s really not funny, is it, when a CIO must resign her post over something she probably had been trying to fix for some time.  I’ve no special inside knowledge of Target, but we’ve all seen other large organizations that have had big security, risk management, or compliance failures, and typically someone, somewhere has made the problem known, but other business priorities — making a project deadline, opening new big box stores in an emerging market, or closing the deal for a merger — seem more tangible to the powers-that-be (PTB) than dealing with security or risk issues.  ‘We’ve lived with it so far — how do you know something bad will happen, anyway, Ms CIO?’  It’s a real stumper when the PTBs just don’t get it — especially when one fail after another is in the news!

Two factors often emerge when there is a big failure — 1) There’s no one outside of IT who acknowledges ownership of the risk; 2) There’s no one coordinating and providing oversight of the many different risk silos.

Target is just the latest in a long line of consumer giant security fails — remember TJX, remember Sony?

So, after the fail, they all get religion.  The answer lies not just in getting a real corporate CISO, but also requires getting true business leader ownership of the risks.  That can only come from the very top, from those who are truly responsible to the shareholders for governance — the Board.  Tone at the top is the one ingredient of risk management that even when you are just a pinch short, your recipe will end in disaster.

So besides running an effective coordinated security program, there’s another role for a CISO in a large dynamic enterprise, and that’s working with the leadership of the company and ensuring that IT risk management issues are addressed in business initiatives.  For large organizations, the CISO will have her hands full running a corporate-wide IT security program and organization, and to have that kind of oomph, she must have a direct line to the board.

So, if you’re a corporate director, I have just one question for you: ‘Can you tell me the name of your CISO?’

3 Comments »

Category: Cybersecurity IT Governance     Tags: , , , ,

3 responses so far ↓

  • 1 Who's Your CISO? | All that All   March 7, 2014 at 4:35 pm

    [...] By French Caldwell [...]

  • 2 Hey, Corporate Director, Who's Your CISO? : 6config: Le blog   March 7, 2014 at 4:43 pm

    [...] By French Caldwell [...]

  • 3 Michael Scheidell, CCISO, SMIEEE   March 19, 2014 at 7:33 am

    French:

    You are right, and those failures at Target should be a lesson of caution, and encouragement to all CIOs.

    Encouragement you ask? This sounds more like a warning, when a highly qualified person like the CIO of Target loses her job; immediately after a security breach.

    In my opinion, she was overwhelmed. Just like most CIOs today are.

    The reason I say this should be an encouragement is that CIOs may now have the ammunition (and incentive!) to go to the CEO and board and request the burden of IT Risk Management and Information Security be move out of IT and up to the ’round table’ where it belongs.

    The CTO, CIO, and CSO/CISO should all have input into IT and technical matters, but the training and responsibility for Information Security and IT Risk Management demands a separate department. Part of what Corporate Governance would call ‘separation of duties’ when dealing with financial matters.

    With separation of duties for financial matters you are trying to protect your company against fraud.

    When it comes to Information Security, the ‘fraud’ may not be the only reason for a separate group but may be equally as important as the specialized training and experience of a CISO.

    My opinion is that many CIOs will find a way to lobby for a CISO, and not one who reports to the CIO either.

    Think also of the Frog and Ostrich:

    You know the story. Or do you?

    http://blog.securityprivateers.com/2014/03/lessons-from-frog-and-ostrich.html