Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

To truly understand security, the business should consider a new CEO or CTO

David Braue | July 15, 2016
IT Security can be improved if a C-Suite executive is appointed to focus on issues of trust.

CISOs may be seeing mixed results when trying to teach company executives about the nuances of information security, but one business expert believes outcomes can be significantly improved by appointing a C-level executive focused specifically on issues of trust.

The appointment of a chief trust officer (CTO) or chief ethics officer (CEO), Accenture Security APAC managing director Jean-Marie Abe-Ghanem told CSO Australia, is emerging in some companies as a way of removing the perceptions of security as a technological solution.

Instead, such an executive would tap into the universal understanding of the importance of trust - something that 83 percent of executive respondents in a recent Accenture survey agree is critically important to the digital economy; conversely, 82 percent of respondents believe that the transition to digital also exposes them to "exponentially more risk".

Purveyors of security, Internet of Things (IoT) and other modern technologies must therefore address trust as a key design criteria, Abe-Ghanem said, by understanding which of their products and services contain client data - and whether consumers trust them to look after that data.

"Businesses need to get that trust feedback from customers, and to succeed they must take at least one product and evaluate it at every step to see how they are dealing with trust or ethics around the data," she explained. A chief trust or ethics officer would be tasked with building principle-based codes of conduct to reinforce those perceptions, with involvement from security specialists to ensure those controls are implemented as enforceable policies.

The executives must also frame those policies within the context of accepted standards for security and governance, with appropriate benchmarks to measure ongoing compliance. "They have to challenge decision-making when companies are dealing with data in the process," Abe-Ghanem said. "This means challenging what informed consent means when clients give it to you, and understanding the data and how it is used within the business and its products, systems, and processes. They're looking at how to do no harm, really, and what this means at every step of the process."

Her voice is one of a growing chorus of security experts pushing for new approaches to solving a risk equation that has gained numerous additional variables in recent years. Approaching the problem with fresh eyes, from new angles, is seen as a key part of an effort that must also include a bottom-up reconciliation of business and technology activities to identify and isolate ongoing security issues. These must then be rephrased using business concepts that isolate executives from the confusing language of information-security enforcement.

Accenture is already conducting early proofs-of-concept with clients in Australia to see whether a more context-based approach to security can improve both internal compliance and the external perceptions of products and services designed to handle consumer data.

 

1  2  Next Page 

Sign up for MIS Asia eNewsletters.