The role of the chief information security officer (CISO) in financial services is evolving as the issue of security gains traction in the C-suite-and well it should, given that security breaches can have a noticeable impact on the business side. But what course the position will take over the next few years depends considerably on societal, regulatory and technological developments. "The role of the CISO is changing, and it's tracking like a hurricane," Michael Zboray, CISO at Gartner, told a recent gathering of security specialists.
A recent multiple-sector survey found that 21 percent of CISOs, or security equivalent, report to the CEO, 18 percent to the CIO, with the security department integrated into IT Dept., and 12 percent directly the board of directors, according to PWC's "The Global State of Information Security," released this fall.
The question at hand is whether information security is viewed as a technology issue, a risk issue or a strategic advantage. The answer seems to be evolving from tech to strategic, with the bulk of financial institutions somewhere in the middle. One way to gain an enterprise's take is by looking at the reporting relationships of the CISO. At enterprises in the early stages of evolution, information security is still part of the technology function, typically with the CISO reporting to the CIO. "Where the CISO reports into the CIO, and then the CIO operates in a shared-services, siloed organization that isn't particularly connected to the business, the CISO becomes in that mode as well," says Ted DeZabala, director of Deloitte & Touche's security and privacy services practice in the U.S.
A recent survey by Deloitte & Touche found that 59 percent of those surveyed felt that management still views security purely as a risk management exercise, versus one that's essential to the business. In some of the largest institutions, the CISO now reports to someone with a business function, typically the COO or the CFO. Phil Lospalluto, CISO and executive director at Morgan Stanley, who reports to the COO. "It's really all about information risk management," Lospalluto says.
