LinkedIn - the popular social media network - recently confirmed that a breach of its network has compromised hashed passwords associated with its accounts. News reports estimate almost 6.5 million passwords have been compromised.
More interestingly, LinkedIn said that they neither have a CSO nor a CISO in the organization. That means there is no senior executive responsible for the security of their information or managing risk.
It is really surprising that a public company like LinkedIn, whose core business is Information and has the budgets to hire a CISO, does not have a CISO. But not really that surprising, considering that neither RSA nor Sony had one, when they got breached.
They probably have a lot of security technology, security framework, policies and a large team responsible for security. But just because they have all that, does it mean that they are serious about security?
Security breaches happen for many reasons, some relate to technology problems, some relate to lack of process controls, some are people related; but most happen because of a mix of all three.
We have worked with number of companies who claim to have the latest security technology and/or are compliant to all best practices in Security, but do not have a CISO – does this mean they are not serious about their security? They have invested millions in the latest firewall, UTM device, PIM solution or SIEM tool, which is good too. They have people doing regular security compliance and process audits, which is also very good.
If you look at it from a people, process and technology view – it is good to have strong process and technology controls, but the key is still people! Even with people, while the team is important, but the most important person is the CISO and the security leadership s/he brings along to the table!
Not having a CISO, or having someone doubling up as a CISO (making the CIO or the IT Head responsible for security also) has a fundamental problem. Your company may be doing 20 different things for security, but the necessary condition to ensure that all of it works effectively is still the CISO.
Because the primary role the CISO needs to do, is to ensure that he keeps the entire organization including the Board, the management, the business leaders, the employees, the partners and vendors accountable to organization security and ensure that they do not cut corners. The CISO is the conscience keeper. When everyone else is worried about business growth, cash flow, client satisfaction or the other metrics on the balanced scorecard, he is the one worrying about protecting your company assets.
So, if you want to know whether a company is really serious about their Security, just ask one question – Do you have a CISO? Everything else is un-important!
It is surprising in this Information age companies still do not have leaders responsible for protecting the company's assets. Having a CISO is necessary, but is it sufficient? That's the topic of my next blog.
Author:
Navin Kotian
President and Co-founder, Aujas
