News / Is it time to realign, or even retire the role of the CISO?
For some time we have accepted that effective business security, data privacy and compliance requires a Chief Information Security Officer to act as the lynchpin between the IT security functions and the company board. It was the CISO that ensured that security was a “boardroom issue”, and this mantra has stuck.
The concept started in the United States but has never really caught on in the UK and Europe; perhaps it never will. As business operations shift from a consolidated infrastructure to a fragmented but more flexible digital model, the traditional CISO role is being challenged by new demands.
The main claim for the CISO was that it was a business focused position much more than a traditional IT or security position, one that could convince the board of the need for investment in security for increased business competitiveness.
While the message that security is a business driver remains perfectly valid, perhaps appointing a CISO was not the right way to go about this. As conditions on the ground became more challenging, the CISO has started to look to remote from the technical end of cyber security, which remains hugely important. It’s almost as if the CISO role has lost focus on securing the IT systems and data that make up the digital ecosystem of the organisation, as trying to keep the business on board has become an end in itself.
An extract from a CISO blog, while making perfectly valid points about the business responsibilities of the role, effectively sums up how the focus has perhaps shifted too far. It says that a CISO has a “responsibility to help achieve optimal customer satisfaction and achieve maximum shareholder value in light of the fact that security is viewed by many as overhead”.
Is this “business overreach”, with its references to shareholder value and customer satisfaction? Have we drifted too far from the role that simply ensures that the organization’s IT and data security is the best it can be. Security may well be a business driver, but should security leaders really be value creators and measured on that?
It’s hard for a CISO to tell the board he or she is managing security effectively when LOBs and others are already undermining the IT department on a daily basis. These rogue cloud deployments, devops and shadow IT purchases are way off the CISO’s regular board updates.
If the CISO is unable to triangulate the risk posture of the organisation and is out of touch of fast changing digital developments, there is a danger that sitting on the board is akin to dwelling in an ivory tower and in the end, actually misleading the board – the very opposite of what the CISO is supposed to do.
Perhaps the security leader should become detached from the board once again as, for example, a Chief Security Operations Officer or similar. He or she would sit at the top of the people, appliances and managed security services platform so typical of modern businesses, but no further.
As security services become hybrid in nature to meet the demands of digital organisations, so should the person thought good enough to manage them – but from outside of the boardroom.