The prime position of the Chief Information Security Officer (CISO) has been debated for years within the corporate hierarchy. It’s a discussion that will unlikely end soon. Historically, the position has belonged within IT security, as the CISO needs many of IT’s skills to install and monitor complex security products. However, opinions waver on whether the CISO needs all the capabilities of an IT professional. For example, a general does not need to be an expert in hand-to-hand combat to plan a successful attack.
Wisegate, a peer-driven IT research company, hosted a discussion between its senior-level IT professional members to debate the role and position of security and the CISO in a business. To complicate matters, most of the IT pros believe security is no longer simply a subset of IT. Security needs to liaise with multiple departments to help secure a business— with human resources for matters of identity and access, legal for regulatory compliance matters, and the business overall to ensure security practices are aligned with industry requirements.
Statistics show that the world hasn’t caught on to this, however. More than half of all CISOs report to the Chief Information Officer (CIO) and remain, technically, under the IT umbrella. This positioning creates the single biggest underlying conflict within the CISO role, for there is an inevitable rift between security and IT. IT’s goal is to facilitate business—if product marketing wants a product to have certain features, IT works to enable it. However, security’s priority is to ensure all business activities are safe, leading some to believe security’s job is to stop things. But it might be best to say security’s job is to facilitate the bad habits of business in a safe manner, and remediate the rest.
For a good example of how IT and security approach a situation differently, consider the use of mobility and the cloud. If the executive team wants to use a particular cloud service, IT agrees to put the cloud in motion. Security, however, is presented with a fait accompli. By objecting that the cloud service may be insecure, the security personnel may create tension and the executive team may use the service regardless. Negotiating this conflict as a CISO is a delicate challenge. It requires communications skills beyond the norm.
Most CISOs report to the CIO, but Wisgate’s member-based research shows the vast majority would prefer not to do so. This begs a major question: If security is not set up to thrive within IT, where does it belong?
The majority of security commentators support security reporting directly to the board, but CISOs are split. The concern is that if the CISO sits on the board and continually demands higher budget and stronger controls, the position will rapidly be ignored or sidelined. CISOs need a buffer between security and the board, and that same buffer must fight for the concerns of IT.
A preferred alternative is to bring security out from under IT, and instead move to the Chief Risk Officer (CRO) department since security and risk are so closely aligned. This would be better suited for a CISO’s career path, as well—it allows for a logical move from CISO to CIO or CRO when security is out from under the umbrella of IT. Security, after all, is no longer simply an IT issue. It is a business concern that touches every aspect of a company. The rest of the corporate world needs to catch up to this way of thinking.[su_box title=”About Wisegate” style=”noise” box_color=”#336588″]
Wisegate is a member-based IT research company that serves the industry’s most senior-level IT practitioners. Wisegate’s editorial team keeps a pulse on what matters to IT via its members, and publishes member-based advice, best practices and collaborative insights for the IT industry’s most pressing and important issues. [/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.