There can be no question in my mind; the role of the CISO has evolved. Its evolution has not been an easy one. The 1990’s hangover still surrounds this very pivotal role. It is not a question of reporting line alone. Though in large, global, complex and in some cases too large to manage firms this can be very confusing not just for the CISO but for everyone else.
We within the security industry don’t help ourselves; complicating the way in which we describe what we do, in the way we talk about our activity and in the way we try and demonstrate value add? So we need to ask the right questions first before we can make any determination what the role of the CISO is. In order to help me answer my own question I wanted to examine how we in cyber security industry perceive ourselves.
I believe my primary directive as a CISO has always been to provide factual and impartial advice, guidance and counsel. I am not about taking anyone side and at all times I attempt to refrain from politicizing the role of a CISO. Keeping it simple for me, an effective but directive CISO will do no more than the above, If you think they do, I am very interested in your take. This opens the door to another question, which is who are you advising, guiding and counselling? And their lies the toxicity for me. It stems from either a legacy view of what the CISO should do and who the CISO should report to vs. what the CISO must do and who the CISO should report to (will get to that at a late date). For this post – let’s examine just one of those potentially toxic combinations – the CIO and CISO relationship.
Would you say that this is a relationship made in heaven? For me this has always been the relationship from hell a toxic combination of competing properties and vastly different agenda’s to me is the recipe for failure. This relationship will never work in a reporting line context. I may have some unconscious bias, some prejudgement from my past experience even with that said I believe any firm that places the CISO within IT, well, needs a reality check.
Apart from the fact it is exhausting to consciously battle the person you have to report to it is also hard to justify today that this is a sensible fit. The CIO’s role in general and in my view , as Chief “Information” Officer to ensure that business information and process are effectively translated to achieve business objectives through the use of technology services. To do this in the most cost effective and efficient manner, with limited to near as no possible interruption, to have instant recovery in the event of failure and to operate under every increasing pressure of legal and regulatory change – map that against my primary directive as a peer it works well, as a subordinate you are in conflict mode from the start. In a nutshell it is a conflict of interest.
To the CIO community, what gives? What is the attraction of keeping security within your remit? Would you not prefer the independence? I am not suggesting that this applies to everyone or every firm. However if as CISO’s if we are to really start making that difference it is important to start pointing out that the discipline has out grown from its roots. The role of a CISO within an IT function does not work well. Time to let go maybe!