Emerging Roles: The CISO

Oracle’s suit against SAP alleges that SAP stole sensitive information from its customer-support database for its JD Edwards, PeopleSoft, and Siebel applications, all recent Oracle acquisitions.

If this is true, how could Oracle’s CSO let this happen?

Oracle’s suit raises questions about the ability of large organizations to securely integrate acquisitions, protect intellectual capital, and prevent customer churn. These issues and the resulting risks fall within the purview of information risk management or IRM. IRM enables organizations to achieve business goals through the protection of organizational assets. The IRM function is typically headed by the CSO.

Many have compared IRM to insurance. Yet unlike insurance, where causes of loss are known, the IRM environment is constantly facing new vulnerabilities at an alarming rate. IRM deals with much more that IT risks and includes the information risks pertaining to all operational areas.

Organizations delegating their IRM responsibilities to their IT departments need to rethink their approach.

The strategic nature of IRM also becomes apparent when security incidents impact an organizations bottom line. In February of 2007, TJ Maxx announced a financial hit of a penny a share for costs incurred to investigate and contain the intrusion related to stolen credit cards, enhance computer security, communicate with customers, as well as technical, legal, and other fees.

The loss in shareholder value resulting from the TJ Maxx incident is clearly a business issue that deserves the attention of the senior management.

The post 9/11 era witnessed a dramatic emphasis on IRM. From an organizational perspective, the chief information cecurity officer (CISO) is a relatively new role. Various surveys indicate that only 36% of the organizations have established a CISO or a similar function.

Some organizations also have a CSO role focusing on facilities and personnel security separate from information security. The trend however is changing. More organizations are integrating the CISO and CSO responsibilities in recognition of the strong interdependency between physical security, personnel and information systems.

The IRM function is operational and strategic in nature. Therefore, it’s not uncommon for a CSO to report to the CEO or the COO. Mature organizations with established risk management functions have the CSO role reporting to the chief risk officer (CRO). The IRM reporting structure can get complicated in large global organizations where several regional or business unit CSOs report to a global CSO or CRO.

The IRM reporting structure is also a gauge for an organization’s risk appetite. Organizations with a high profile IRM reporting structure usually are more mature and regard IRM as non-negotiable item on the management agenda.

Various surveys point out the CSO typically reports to the CIO, mostly acting as the bridge between the businesses and IT organization. This reporting structure violates the segregation-of-duty (SOD) principle. The problem arises because while the CIO focuses on the most efficient use of information to achieve business objectives, the CSO needs to use the same resources to address the risks arising from the use of information and technology.

The two goals are often at odds. In this situation, a CSO reporting to the CIO may have insufficient authority to protect the organization’s information assets.