IT Compliance and Controls

Converging Business, Information, and Controls

IT Compliance and Controls header image 2

Does competency matter as a CIO / CISO? Inspired by Target breach

March 14th, 2014 · No Comments

As the news cycle continues regarding the Target breach of 40ish million credit cards and 70ish million customer data records, a point came up that seemed relevant. Perhaps it was that I was just working with a global organization implementing a more integrated and responsive security program, and the concept of RACI and competency was on top of mind… either way the question should be asked.

What skills and competencies should Boards of Directors and Audit Committees seek, expect, and ensure exists with their data and technology leaders?

Those at the engineering level, coding level, and such have very specific skills and knowledge is mandatory to perform. At the leadership level though, the progression to these positions crosses the whole spectrum (salesperson at Target for CIO) to technical individual having risen through the ranks (Google).

As an architect, operator, implementer, and overseeing Americas audits of security management systems I have a unique view on designing, implementing, and certifying. I am seeing businesses expect at least the following present, documented, and improved regularly (improvement is a requirement of this space, at an annual cycle):

  1. Tenure and experience with the disciplines or deep awareness of products
  2. Familiarity with the legal, internal, external, and business requirements across all regions & products
  3. Depth of competency for the industry of the business
  4. Depth of competency for the technology by the business and for the business (here is an area organizations have trouble with since the velocity of change and tech adoption for some businesses is faster than others)
  5. #4 is increasingly interesting and requires a strong training and position sharing organizational structure, or comfort with rotation of personnel as skills match tasks (i.e., CISO over an org that is relying upon deep abstracted services is vastly different than one running in house 20 data centers)

What you are finding internally:

  1. Are you being supported to document what competencies you need to build (at EY we spend literally weeks on this topic with each person)?
  2. How often, if ever, have you rotated out of jobs to fit better with the 'new' operating structure?

There are many more, but the point being … Attacks happen; Technology changes in exciting; Business models shift rapidly, and even the operating environments/partners are reinvented in all successful organizations. Therefore the leadership and teams supporting their execution must also swiftly respond to such demands, while maintaining the continuity of confidentiality, integrity, and availability of services.

Thoughts?

James

 

Tags: Uncategorized

0 responses so far ↓

  • There are no comments yet...Kick things off by filling out the form below.

Leave a Comment