I’ve spoken to a few corporate boards on IT governance and risk management, and I’ve one question that I always ask — but first let me clarify this Target CISO tweet with my twitter handle on it.
In an internal Gartner e-mail thread about the Target CIO resigning, I added some irony, writing: “Another good reason to have CISO — so the CISO can resign.” Violating all manner of e-mail and twitter etiquette, my good friend and colleague Doug Laney blasted my snarkiness to the world in a tweet — thanks, Doug! I mean it — thanks — wish I’d thought to tweet it.
But it’s really not funny, is it, when a CIO must resign her post over something she probably had been trying to fix for some time. I’ve no special inside knowledge of Target, but we’ve all seen other large organizations that have had big security, risk management, or compliance failures, and typically someone, somewhere has made the problem known, but other business priorities — making a project deadline, opening new big box stores in an emerging market, or closing the deal for a merger — seem more tangible to the powers-that-be (PTB) than dealing with security or risk issues. ‘We’ve lived with it so far — how do you know something bad will happen, anyway, Ms CIO?’ It’s a real stumper when the PTBs just don’t get it — especially when one fail after another is in the news!
Two factors often emerge when there is a big failure — 1) There’s no one outside of IT who acknowledges ownership of the risk; 2) There’s no one coordinating and providing oversight of the many different risk silos.
Target is just the latest in a long line of consumer giant security fails — remember TJX, remember Sony?
So, after the fail, they all get religion. The answer lies not just in getting a real corporate CISO, but also requires getting true business leader ownership of the risks. That can only come from the very top, from those who are truly responsible to the shareholders for governance — the Board. Tone at the top is the one ingredient of risk management that even when you are just a pinch short, your recipe will end in disaster.
So besides running an effective coordinated security program, there’s another role for a CISO in a large dynamic enterprise, and that’s working with the leadership of the company and ensuring that IT risk management issues are addressed in business initiatives. For large organizations, the CISO will have her hands full running a corporate-wide IT security program and organization, and to have that kind of oomph, she must have a direct line to the board.
So, if you’re a corporate director, I have just one question for you: ‘Can you tell me the name of your CISO?’