When BCE Emergis recruited Yogen Appalraju from Ernst & Young two years ago to keep its electronic data from falling into the wrong hands, the e-commerce services vendor gave him the title of chief information security officer (CISO) and had him report to the company’s executive vice-president
of operations. Before then, a director of security lodged in the information systems operations group had done the job. “”But senior management realized that in the business they were in — dealing with large financial institutions and insurance companies and a lot of health care information — security was an integral part of the services they provided,”” says Appalraju. “”From a risk management point of view, they wanted to understand what our posture was — to have someone who could come in, see where we were at, identify gaps and take action. Also, they wanted someone who could be a visionary for the company on security.”” For those attributes, BCE Emergis looked beyond the technical competence of an IT professional and, in hiring Appalraju, selected a senior consultant with a background in accounting, business and internal controls related to IT.
Appalraju is typical of the emerging CISO, a C-suite executive who as recently as two years ago was virtually non-existent in the Canadian corporate hierarchy but lately has begun to appear on the to-do list of executive search firms. Observers say the position is at the same stage of evolution that the CIO position was a decade ago, and they predict it will be transformed even further in the next 10 years, perhaps into one that reports directly to the CEO.
“”Prior to 12 months ago, (CISOs) were unknown to us,”” says Scott MacKinnon, a headhunter with CNC Global. “”We hadn’t seen a senior security person. We’ve started to see the whole of the security arena take off, but we’ve still only done three searches for a CISO in the past eight months.””
Companies shopping for a CISO don’t demand a particular security certification, MacKinnon, says. “”The requirements focus on their background, where they come from in an organization and what roles they played. Usually, it’s an up-the-ranks person from an architectural role. They also focus on the candidates’ familiarity with the size and scope of the environment that the client is running.””
In most cases, the CISO is reporting to a senior VP, says Terry Scullion, Ottawa-based manager of technological recruiting for Quantum Management Services. In the banking sector, salaries for the CISO are in the $150,000 to $200,000 range plus performance- related bonus, similar to that of a CIO, he says. “”They’re very marketable people right now.””
The top classification used to be security manager or information security officer — a tactical or mid-management position, says Rob Reimer, Winnipeg-based Information Security Practice Leader of PricewaterhouseCoopers Canada. “”It’s gained prominence to move itself into a director and chief officer and vice-president type of role… it’s much more senior-management oriented.””
One major driver has been the dramatic increase in viruses, data theft and other security breaches as the shift from centralized to distributed computing environments has made valuable data and IT assets more vulnerable to external and internal attacks.
The issue of governance may be an even more significant factor. “”I think what’s really taken it to the CISO level are the events of Enron, the Sarbanes-Oxley Act (SOX) and, in Canada, Bill C-198.”” SOX, Section 404, and Bill C-198 each requires that for any company trading on a U.S. or Canadian stock exchange, management must file an internal control report with its annual report. These requirements, says Reimer, “”have really increased the demand for appropriate, relevant security and access controls to be able to demonstrate protection of information resources.””
Privacy legislation — which has applied to the private sector in all provinces as of Jan. 1 — and the growth of outsourcing of company functions such as payroll and human resources have added to the CISO profile.
“”The importance of having someone who can understand, at a senior management level, what kind of risks the organization is actually facing, relative to its industry, its technology strategy and the use of its business partners has become paramount,”” says Reimer. “”No longer can you leave that at the level of a technical mid-manager person who is doing security part-time.
“”You need someone who can communicate with the executive level, eloquently talk about those risks, and centralize and co-ordinate all the security activities.””
Not every company is scrambling to add a CISO to its ranks. Financial institutions are most CISO-enabled, but even in the banking sector, only three of the Big 5 (RBC Financial Group, Scotiabank and BMO Financial Group) have designated such a position.
A bank’s security footprint covers four distinct elements: audit, risk management, IT and law enforcement. Each of the banks has evolved differently, so there’s no single template for the oversight of these activities. Nevertheless, says Robert Garigue, CISO at BMO Financial Group, “”there is a convergence with the rise of the CISO, as the [largest] proportion of risk now starts to shift toward technology issues, whereas before, bank robbers went to the bank and you needed the guards at the front doors.””
When Garigue left his position as assistant deputy minister in the Office of Information Technology for the Manitoba government to join BMO two years ago, he started as vice-president of information security, “”but it was evident as we grew the security function that a change of title was needed to give focus for an enterprise-wide accountability.””
A mid-level infosec resumé usually includes a computer science or MIS degree, work experience involving systems or network management or architecture and a certified information systems security professional designation. Initially, a CISO, too, was expected to have that mix of training, experience and certification, but that’s changing. The CISO resumé, says Garigue, has to demonstrate the ability to evaluate where the next series of risks are going to emerge and incorporate that strategy into a budget.
Increasingly, C-suite executives will be “”brokers between the board and a domain of expertise,”” he says. CISOs will have to make sure the technology is aligned with business strategies, that it supports the execution of an integrated strategy across all elements of the business. This will require not necessarily certification but greater professionalism, he says.
It may also involve a change in reporting relationships. “”I haven’t seen a lot of CISOs reporting directly to a CEO,”” says Appalraju, “”but I think it’s very possible if you look 10 years out — especially if e-business and digitization of business processes are expedited.””