Looking back, the key information security initiatives were discussed only by IT.
Unfortunately, we still know that this is often the case in many organizations: even after an incident, the focus is on IT alone and rarely has an impact on the executive committee.
While many people have wondered why this happened just by looking at technical vulnerability, we can go beyond and easily relate as one of the main causes: a 35-year-old CEO who was not involved in any IS initiative.
And this happens in many companies in Brazil: many have this vulnerability!
When we relate this to some IS initiative we always hear a typical phrase "but we never had a significant IS incident, and we don't have a heavy reliance on IT." Finger mistake! Nowadays we all have a certain "dependency on other areas" and we still have to worry about a reputation to keep that can be impacted quickly by falling into social networks.
So Mr. President and CEOs we are vulnerable!
We can no longer understand operational risks, we can no longer treat the IS budget as something additional to the IT budget and relegate their initiatives to the organizations' middle management.
Loss of critical business data and information, privacy breaches, compliance issues, and even business downtime are the most common impacts on today's operation. These incidents put all organizations at risk and hold executives accountable.
This means that the executive committee must be informed of all information security decisions, enabling members of that committee to better understand risk, better exploit new technologies for business benefits, and stay current with IS incidents.
Organizations that offer infrastructure such as power and telecom are more used to this type of involvement but still need to evolve into their maturity. They know about the responsibility of a CIO and CSO, but the CEO must be aware of their responsibility and must know the entire IS strategy and be aware of risk in their organization.
That maxim that tells the difference between being involved and being committed.
Mr. President, you are committed to SI, so look into your dashboards and understand the risk of your business.