While IT should be involved from the start in the development of a security strategy, the CISO should be part of the security function (not IT), and should be concerned with aligning security measures with the business strategy.
The CISO should report to the board and the audit committee: "it's just (another aspect of) risk," said Phair at VMware's Evolve 2017 event in Melbourne yesterday, adding that strategy, risk and governance are the board's concerns.
The board needs to make decisions at a high level, eg "is gold-plated security appropriate?", although those in regulated industries may not have much choice. Then it is the CISO's job to explain what that actually means in terms of time and cost.
The performance of Australian organisations in this regard is "pretty hit and miss", Phair said, and it's not just about the size of the business. The big banks do it well, he said, but one ASX 200 company is not on top of IT security to the degree he expected.
Establishing the ROI for IT security investments "is tough," said Phair, "with physical security you've got something (tangible)."
"IT security is a business driver that adds value," he said, but the risks have to be managed.
The growing number of commercial-grade security conferences is a promising sign, he suggested, noting that vendors are throwing money into such events at a time when people want to learn about the issues.