Thinkstockphotos 178390103

The changing role of IT Security

| 31st August, 2016

Why it’s going to be a board-level seat in the future

In an increasingly connected world, IT security has become a matter of paramount importance. This is true both for governments and businesses.

Look at this prediction by IDC. It indicates that IT security will matter not just for the virtual world but also for the real world. As global trade flourishes, supply chain risks will increase. By 2019, geopolitical divisions and global economic instability will result in cyberattacks targeting suppliers, forcing businesses in Asia Pacific to increase spending by 35% or more to mitigate supply chain risks.

At the same time, IDC warns that data breach incidents will go up. By 2020, more than 1.5 billion people will be affected by data breaches, increasing calls for regulation and alternative authentication measures.

In this scenario, it is no surprise that IT security is fast becoming a matter of national defense across the APEJ region. That’s why governments are setting up cybercrime and cyber-defense centers, with the associated levels of infrastructure and investment.

However, business organizations are still struggling to balance the cost of IT security with the impact it can potentially have on their business, and business owners are challenged by the issues of the elusive return on investment from IT security as compared to other types of IT investment.

But this situation of wait and see will not continue for long. As legislation improves across the region, and non-compliance becomes more fiscally punishing (it will be due to new regulations emerging), the board will be more concerned with the cost of not being secure and demand better oversight of IT security.

As it is, laws are emerging in the US that require listed firms to file on their cyber security posture. We are seeing the same trend in Asia. Australia, New Zealand, Singapore— are all coming out with new laws to make data breach disclosures mandatory. The European Union is also changing its laws making data protection regulations even more stringent.

Due to these changes, the CIO or CISO will be occupying a board level seat in the future. According to IDC, by 2017, one-third of corporate boards will fill a seat with a risk mitigation expert who can provide guidance on data privacy and security initiatives.

Both the board and CIOs have to be prepared for this change. The business impact should be clear for the CIOs: CIOs who handle security well will keep their job. Those who can’t handle it well will lose their job.

The board on its part has to do its due diligence to get the right CIO or CISO a seat on the board. They should evaluate a mixture of candidates who understand the business and have experience addressing data protection, privacy, and regulatory compliance issues. The CIO/CISO may need to directly report to the CEO as a direct line to understanding the security risks associated with business decisions.

IDC believes that organizations with such a role will have a far more structured approach to IT security and procurement than their competitors.