Given the growing importance of information and data for organizations, worldwide, one would think that it’s protectors would be given sufficient power, if not the proverbial free-hand, to implement necessary security measures. We say this because Information Security professionals already have a humongous task of fighting and protecting the organization’s information assets against plethora of threats. Moreover, the nature of the field is such that they have to keep themselves updated with latest trends, technologies, certifications etc. Does it, then, justify to pile on the burden of convincing the Senior Management and Board of Directors (who are already aware of these issues and understand their importance) for implementing new security measures? Does it? Of course, the real world scenario is much more complex and implementing such a structure might not be feasible. All we are saying is give your soldiers some room to breath. While organizations are waking up to this reality, we hope that they don’t take too long.
While assigning Information Security function an autonomous status may be delayed, CISOs have to do their job and the only way through is through the gates of the Management. It is no surprise then that most CISOs are also good salesmen. They have learnt the ropes of the trade and have a few tricks up their sleeves. The article linked below, discusses this art of dealing with the Management.