Writing on his personal blog, executive director of information security at an unnamed firm, Dr Boaz Gelbord claimed that the industry has over-hyped threats and demanded too much time and money to mitigate risk.
Companies have also bought expensive security equipment and hired lots of security staff, but this has left some companies doubting whether they need a CISO at all.
Gelbord said: “Whether your company needs a CISO is essentially a question about whether your company needs a full time executive to own and manage its security narrative. Not every company has a chief privacy officer, a chief continuity officer, a chief blogging officer (yes, that one exists).
“But if privacy, continuity, or blogging is critical to your company, you will have that CPO, CCO or CBO. It works the same with security. So how many companies actually do need a CISO?”
He further claimed that "there are still a large number of companies that need a security narrative and need a CISO to own it. For these companies, the CISO function will become even more prominent in coming years. And these CISOs are as hard as ever to find".
Gelbord pointed to the key skills for a good CISO as being someone able to have the ability to produce change, to have an understanding of how business processes and information interact, have an understanding of the technologies used in an organisation, and have an understanding of legal and compliance issues.
“These skill sets are not in and of themselves so unique - any executive in a technology driven company needs a bit of each one. The tough part is finding someone who has all four skills and is actually interested in information security. “Some people talk about chief risk officer being the next generation of the CISO function. I don't buy this. Everything a company does involves risk, and there's only one person who is ever going to be really responsible for managing all enterprise risk. That's the CEO,” said Gelbord.