Ed Adams
Ed Adams
Two interesting trends are happening in the enterprise segment of chief information security officers (CISO). Some companies are further empowering this somewhat new role with expansive powers and responsibilities that range from incident response to IT compliance to customer data privacy. Meanwhile other companies are eliminating the role altogether.

I might understand the move in a technology vendor where the CSO/CIO combination subsumes the typical CISO role. However, in a large company with distributed IT and software development teams, I am surprised that a role dedicated to information security and data protection is considered expendable. 

About half of all companies rely on either the CIO or CSO to handle a CISO's duties, but, in my opinion, neither of these roles is truly designed to tackle the broad array of information security challenges. The CISO is often placed in the role of “negative” use case owner, thinking of ways where the organization's information could be tampered with or stolen. Often these two groups have competing or conflicting interests, so some organizations don't have one or the other.

CISOs usually view IT infrastructure and components as liabilities instead of assets. This gives them the freedom to present business protection measures to the board. Am I naive in thinking that the role of the CISO should be gaining relevance and importance in the enterprise? Maybe the companies that have eliminated the position know something I don't. I certainly assume they know what's best for their business and have made the decisions they need to support this.