In “The CIO should report to the CISO,” contributor Richard Stiennon suggests organizational structures should be changed such that the CIO reports to the CISO, instead of the current scenario where the CISO reports either to the CIO, or sometimes directly to the CEO.
This approach, however, will not increase the security posture of a company. Security typically is, or has been, “control based,” and simply flipping the reporting structure isn’t going to change anything. In fact, it could cause additional power struggle. Security instead needs to transition to a context-based approach, and collaboration between all groups, not just between the CIO and CISO, needs to increase.
Given the meteoric rise in the number of security breaches in recent years, CIOs and CISOs need to be highly aligned and collaborative around every corporate initiative. As mentioned above, control-based security approaches focus primarily on well-defined network perimeters and static applications and assets. Yet, the onset of cloud computing, containers, and software-defined everything forced us to rethink this approach. Security needs to be both continuous and context-based, meaning different application and infrastructure deployments have different security requirements that are based upon their public/private location and how they store and access sensitive data.
In other words, the security controls are much more granular and tightly coupled with the context of the application and/or data.
It’s worth noting that the role of the modern day, transformative CIO is rapidly evolving at the same time, becoming the “CEO of Technology,” with organizations shifting from cost-centers to service providers and revenue enablers. As part of this evolved role, the CIO needs to lead the charge that articulates the value of technology with the “why” metrics instead of being overly enamored with the technical “how.” CIOs need to be able to clearly articulate to the CEO and Board how their strategic initiatives are aligned and empowering the business as well as instill confidence in their C-suite peers, so they are viewed as a “trusted advisor” on many fronts.
So, what can we expect looking forward to year 2020? With respect to reporting structure, if we continue to think of the CIO as the “CEO of Technology”, it makes the most sense to continue to have the CISO report to the CIO, and progressive CIOs will treat the CISO as a “trusted peer” instead of potentially causing a political power struggle. If the collaboration between the CIO and CISO continues to increase, and they jointly focus on strategic solutions that are measurable, the overall security posture of the company will improve and strengthen, so that by 2020, the massive breaches of today will have become a historical artifact.
Taking a further forward-looking view into what the CIO role of 2020 will look like, it will likely continue to grow in strategic importance to the core business, and the CIO will ultimately become the trusted technology and security advisor to all lines of business. A similar trajectory will be seen for the CISO, given the role’s strong ties to the CIO, as no strategic solution should be deployed without security being involved and architected in from the onset. Both the CIO and CISO of 2020 will need to focus on a myriad of initiatives, but the north star should always be on business outcomes and driving revenue.
The evolution of the role of the CIO by 2020 will only be successful if the CISO both reports into, and collaborates with the CIO. It will be up to the CIO to ensure that security is always seamlessly integrated into every project, and it will be up to the CISO to keep up their end of the bargain by collaborating and measuring what matters to improving security posture and keeping the company out of any headlines surrounding the latest data breach.