The changing role of the CISO in a data-driven world
30 Aug 2022
The role of the Chief Information Security Officer (CISO) used to be purely focused on managing security problems and risks, without much involvement in the strategy side of things. However, in a world where data and information are critical business assets and the lifeblood of a digitally-driven enterprise, this needs to change. The role of the CISO can no longer operate in isolation from the rest of the C-suite and focus solely on security. Understanding the business, the data that drives the business, and how this data needs to be available as well as managing it effectively for productivity, security, and compliance purposes, must become a critical part of the discussion.
Business and data are intrinsically linked
The challenge CISOs face today is finding the balance between protecting data as far as possible while still allowing the business to be productive. There is no point in locking the data down so tightly that nobody can do their job. At the same time, there are compliance issues that need to be considered. Data is also inherently complex, and not all data holds equal value to the business, and different types of data require differing levels of protection based on their sensitivity or strategic importance, for example.
At the same time, the focus is not on security as such, but on how data supports business goals. Without effective data management, this becomes an impossible ask. If you do not know what data you have, where it is stored, for what purpose, and how it is applicable to the business, then it cannot be effectively secured, nor can it be made available for analytics and to drive business decision making.
Across the board
The CISO needs to be involved in the development of disaster recovery plans, and there needs to be a clear line of responsibility. At the same time, the CISO needs to be empowered to guide corporate decisions around data, while maintaining awareness of compliance regulations and working with the legal team to ensure adherence.
The role no longer involves just IT security – it has become one that touches all areas of the business and is increasingly complex. This complexity is compounded by the need to also manage third-party suppliers, who are often the source of data breaches, as recent history has shown. The CISO then also needs to perform due diligence on third-party providers to ensure that they have the right frameworks and securities in place and follow correct processes to ensure data is safeguarded according to corporate requirements.
The buck stops with the CISO
While the role of the CISO has evolved, they remain ultimately responsible for information security, and in today’s world, this has become a secondary function of data management. The CISO needs to be involved in the data management strategy from the start, because data is critical to security as it is frequently the target of attack today.
Data management, data security and disaster recovery need to be carefully planned and regularly tested, with roles and responsibilities clearly defined and monitoring tools in place. An expert managed service provider can be invaluable in identifying vulnerabilities, defining critical data, and developing effective plans. In addition, in the event of an incident or data breach, they will be able to implement the recovery plan quickly and effectively to minimise business impact.
The role of the CISO is more complex today than ever before, but a specialised data management partner can help simplify it and ensure data is managed and secure without affecting business productivity.