Should the CIO report to the CISO? Should security teams disappear? These are bold moves currently on the table as companies continue to struggle with leadership structure.
The hierarchy is pretty typical across organizations: The chief information security officer is the most senior IT executive in charge of protecting data and systems, reporting to the chief information officer, who oversees the computer systems required to support the business objectives. A 2021 report from AINS, which was updated in March 2022, found that 54% of surveyed CISOs report to a CIO, with 15% reporting directly to a CTO. Sixty-nine percent reported into a technical function, rather than a business function.
But what if that was turned upside down? It’s an idea that’s been suggested within the security community.
“We're forcing CISOs to be true business executives. They also have to be super technical — or they at least need to have an understanding about the systems that they’re defending,” said Ben Johnson, cofounder and chief technology officer at Obsidian, at a lunch roundtable discussion during the RSA Conference. "The result is that they’re quickly having to move up the ladder.”
Of course, the counterargument would be that cybersecurity is still a function of information technology, and the CIO needs to lead the comprehensive mission of IT. But deciding which side is right may be less important than understanding why the debate has emerged in the first place.
“I think the root of the problem is that security is still seen as a tax rather than an investment,” Johnson said in followup comments to SC Media after the lunch discussion. “In order to continue to shift that, we all need to continue to communicate the risk involved with the technology driving our businesses."
Johnson likened the necessary shift in mindset to building cars with safety integrated from the very beginning of the design and engineering process, versus adding some seat belts and airbags after the fact. Whether reversing seniority to make the CISO the most senior IT executive in an organization is realistic in today’s enterprises “is less important than creating a lens whereby technology deployments and investments are mapped to a security framework and architecture, making sure than new technology strengthens the overall security posture rather than weakening or complicating it,” he said, pointing to the related trend of CISOs becoming CIOs.
"Security teams, including leadership, needs to understand the technology stack, and CISOs are continually being asked to be business leaders," he said. "This means they’re a strong fit for the CIO position, so having that additional security DNA at the CIO position raises the entire company’s awareness and capabilities around cyber defense."
Are new positions needed for each security issue?
Role reversal is not the only attempt to address this issue. Business information security officers began to emerge in the last few years, typically charged with assessing, contouring and augmenting companywide infosec initiatives so that they strongly align with key business objectives and compliance needs. Sometimes BISOs exist alongside a CISO in an organization; other times they take the CISOs place.
“There's some merit to the idea,” said Joe Slowik, senior manager of threat intelligence and detection at Gigamon, during the lunch discussion. “I hate to say we'll invent a new role to solve every problem. But organizations don't exist around a secure network; maybe some banks do, but for the most part, you’re providing a service, producing goods, and figuring out how security can enable that function to continue appropriately with a reasonable amount of investment to ensure confidentiality, availability, integrity. Having someone that owns that communication could be helpful.”
So if security is ideally meant to be integrated throughout the organization, is there a need really for a dedicated security team? That, too, is a consideration among some, with tech companies beginning to embed security professionals within development teams. It's an extension of a suggestion to forgo quality assurance teams, Johnson said, with the theory being that if you get rid of QA, then developers have to own it themselves.
And yet, he added, pretty much every organization still has QA.
That is indeed a trend that Arabella Hallawell, chief marketing officer at Mend (formerly WhiteSource) sees among customers, with security embedding in engineering teams. She doubts that the two will converge completely, pointing to cultural differences among the teams that could stall progress. Hallawell, who is also a former Gartner vice president of research, actually fears the doubling down on tech development will impede security leaders from gaining the influence needed to change.
"I think it's a good idea to have security more elevated. but I actually see the CISO being subjugated with the era of cloud, and emphasis on development," she said during the lunch. "I still see the CIO getting more attention in the board room."