Does the CIO have to report to the CISO? Should security teams disappear? These are bold moves currently on the table as companies continue to grapple with the leadership structure.
The hierarchy is quite typical in all organizations: the chief information security officer is the senior manager in charge of protecting data and systems. He reports to the Chief Information Officer, who oversees the IT systems necessary to support business objectives. A 2021 report from AINS, which was updated in March 2022, found that 54% of surveyed CISOs report to a CIO, and 15% report directly to a CTO. Sixty-nine percent were in a technical role rather than a business role.
Click here for all the coverage from the RSAC.
What if everything was turned upside down? This is an idea that has been suggested within the security community.
“We force CISOs to be true business leaders. They also need to be super technical – or they need to at least have an understanding of the systems they’re defending,” Ben Johnson, co-founder and chief technology officer at Obsidian, said during a roundtable luncheon at the RSA conference. “The result is that they have to move up the ranks quickly.”
Of course, the counter-argument would be that cybersecurity is still a function of information technology and that the CIO should lead the overall mission of IT. But deciding which side is right may be less important than understanding why the debate emerged in the first place.
“I think the root of the problem is that security is still seen as a tax rather than an investment,” Johnson said in follow-up comments to SC Media after the lunch discussion. “In order to continue to change that, we all need to continue to communicate risk around the technology that drives our business.”
Johnson compared the change in mindset needed to build cars with safety built in early in the design and engineering process, versus adding seatbelts and airbags after the fact. Whether it’s realistic in today’s businesses to reverse seniority to make the CISO the top IT executive in an organization “is less important than creating a lens in which technology deployments and investments are mapped to a security framework and architecture, ensuring that new technology reinforces the whole. security posture rather than weakening or complicating it,” he said, noting the related trend of CISOs becoming CIOs.
“Security teams, including management, need to understand the technology stack, and CISOs are continually challenged to become business leaders,” he said. “This means they are a perfect fit for the CIO role, so having that extra security DNA in the CIO role increases the cyber defense awareness and capabilities of the entire company.”
Are new positions needed for each security issue?
Role reversal is not the only attempt to solve this problem. Enterprise information security managers have begun to emerge in recent years, typically tasked with assessing, defining, and augmenting enterprise-wide IT security initiatives so that they are strongly align with key business objectives and compliance needs. Sometimes BISOs exist alongside a CISO in an organization; other times, they take the place of CISOs.
“The idea has merit,” said Joe Slowik, senior threat intelligence and detection manager at Gigamon, during the lunch discussion. “I hate to say that we will invent a new role to solve every problem. But organizations don’t exist around a secure network; maybe some banks do, but for the most part you are providing a service, producing goods and determining how security can allow this function to continue appropriately with a reasonable investment to ensure privacy, availability and reliability. ‘integrity. Having someone who owns this communication could be helpful.
So, if security is ideally meant to be embedded throughout the organization, is there really a need for a dedicated security team? This, too, is a consideration for some, as technology companies begin to integrate security professionals into development teams. It’s an extension of a suggestion to ditch QA teams, Johnson said, with the theory being that if you get rid of QA, developers have to own it themselves.
And yet, he added, almost every organization still has quality assurance.
It’s indeed a trend that Arabella Hallawell, director of marketing at Mend (formerly WhiteSource) sees among customers, with the integration of security into engineering teams. She doubts the two will completely converge, pointing to cultural differences between the teams that could block progress. Hallawell, who is also a former vice president of research at Gartner, actually fears that the doubling of technology development is preventing security leaders from gaining the influence needed to change.
“I think it’s a good idea to have higher security, but I actually see the CISO being overwhelmed by the cloud era and the focus on development,” she said during the lunch. “I always see the IOC getting more attention in the boardroom.”