[ISN] The CISO shouldn’t be the defender of security: Gartner

http://www.zdnet.com/the-ciso-shouldnt-be-the-defender-of-security-gartner-7000019539/ By Michael Lee ZDNet News August 19, 2013 Despite CISOs having the words “information security” in their title, their role should not be that of the company’s defender against hackers and online attacks, according to Gartner vice president and security and risk management chief of research Paul Proctor. Speaking at the Gartner Security and Risk Management Summit in Sydney on Monday, Proctor said that too often, the CISO is seen by a company’s board as the one responsible for ensuring that the business is protected against attacks. However, he argued that when this happens, the board isolates itself from business risks with the excuse that they are IT problems. “CISOs are their own worst enemy when they position themselves as the defenders of the organisation, because it lets the executives skate on accountability,” he said. As a result, Proctor said that CISOs find themselves arguing for more money from the board, and the board itself doesn’t see information security as a risk-mitigating exercise, but rather as a continual payment for “perfect” security. […]