Rethinking your IT leadership strategy

Patricia Titus
Patricia Titus
With all the changes in technology over the last decade, we've seen little change in the roles within IT leadership, says Patricia Titus, former CISO and security adviser.

IT leadership responsibilities have grown from managing dummy terminals to an on-demand world with employees, customers and consumers connected to the Internet of Things (IoT) from smartphones to smart homes and everything in between. With all the changes in technology over the last decade, however, we've seen little change in the roles within IT leadership – with the exception of the creation and/or expansion of the chief information security officer (CISO). The continued media attention on data breaches and serious criminal hacking activities has raised the fear level beyond the executives in the company to the board room and shareholders. Is it time for a change in the roles of our key IT leaders? 

With significant investment being made in information security capabilities, many organizations are also investing heavily to hire top notch CISOs to fill the presumed leadership gap in security. Unfortunately, it's often done out of fear, pressure from the board or because of perceived compliance issues relating to regulatory law. Organizations which decide they need a CISO must approach it with a plan to ensure the program's success by supporting it with budget, resources and by recognizing the changes that may adversely affect the entire IT leadership ecosystem. Decisions around the role of the CISO should be discussed at the board level so expectations are clear for the new leader to help avoid conflict with the CIO.

Is it time for a change in the roles of our key IT leaders?

Organizations deciding to bring on a CISO wrestle with where the position should report, and there is no magical answer. Although some believe the CISO cannot be effective under the CIO, after many years of experience, I have found that this depends on the maturity of the security program, what security versus IT is responsible for, and what regulatory laws govern the organization. I've worked in organizations where I reported to the chief information officer (CIO) and it was a disaster, but I've also worked in different organizations with the same reporting structure and it was a great success. Regardless of the placement of the CISO, it cannot create a battleground forcing the CIO and the CISO to fight for the same resources and funding pitting them against each other and ultimately creating a disastrous situation.

Throughout my own career, when interviewing for various CISO positions, it has been important to discuss the maturity of the security team or program. When the position is new or the enterprise has never had a “titled” CISO before, I'm compelled to ask why they're hiring a CISO versus growing the position organically from within. The answer isn't always what I hoped to hear. More than once I've been told, “the board says we need a seasoned CISO.” Or worse. One CIO said, “I'm being forced to hire a CISO so I'm just looking for someone who can toss out some policies and be a team player.” This is often a telltale sign that better communication needs to happen between IT and executive leadership, not necessarily that there is a void in security leadership. 

Depending on the size of the company, vertical market and compliance requirements, it's quite possible that cross-training the CIO in information security may be an option that organizations consider rather than brute-forcing a CISO role onto the IT leadership team or within the organization. In turn, for more mature organizations – and to help with succession planning – giving the established CISO the ability to cross-train into the CIO role would give them a professional career path and lead to better retention. Organically growing your IT leadership team and blending these positions over time will create a healthier IT team bridging the gap between the CIO and CISO. The trend of CIOs and CISOs blending is already starting, and those organizations are reaping the benefits of having a security professional running the IT team.


You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS