Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Why the CIO will report to the CISO

Jeffrey Guy, Senior Director and Founding team, Carbon Black | Sept. 6, 2017
Security and an operational culture are now critical components to the CIO’s role

This vendor-written piece has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favour the submitter's approach.

Jeffrey Guy, Senior Director and Founding team, Carbon Black

Several years ago, security leaders in many organisations were promoted from a mid-tier manager to chief information security officer (CISO).  In the early organisational chart iterations, security was considered as ‘just one more job’ of the IT department, so the manager who owned security took the CISO title but continued to report to the CIO.

As businesses learned security was more about overall business risk than simply a function of technology, the reporting chain for CISOs started to move outside the CIO’s organisation and CISOs began reporting to the CEO, CFO or COO. 

This evolution is still under way, but it will shift again soon: the CIO will report to the CISO.

CISOs are operationalising their information security programs, transforming security from a checkbox product the CIO bought from a vendor into an operation that combines products, people and processes. Those operations are gaining discipline and rigour from a painful but effective feedback loop, thanks to constant testing by attackers. 

CISOs are discovering that the IT basics such as network management, asset management and patching are critical to secure operations, but in many organisations these are poorly managed. 

As WannaCry and Petya have acutely demonstrated, there were millions of machines both unpatched for weeks and with server message block (SMB) open to the world. Patching is difficult and open SMB is silly, but unpatched systems with open SMB is gross negligence – and this is just one recent and high-profile example. It is impossible to secure an enterprise network when the organisation can’t handle the basic blocking and tackling of IT.

To secure their networks, enterprises must begin operationalising their IT programs, growing discipline as strong as their security operations teams. As realisation of this truth grows, we will see a shift: the CISO will own not just the security functions, but all the core infrastructures – networks, devices and operating systems. 

The CIO will own the business processes: the core value of IT making the business more efficient. The CISO owns the core infrastructure that makes the network run, while the CIO owns the applications that run on that infrastructure and the business processes they support.

Today’s titles won’t make sense at that point. The position we call CISO today will be something more similar to the Chief Information Operations Officer, to reflect his duty to operationalising both the IT and security programs, with the 24/7 operational rigour required to maintain security and availability. He will have something like three direct reports: the operations centre, the enterprise applications team, and a compliance team.


1  2  Next Page 

Sign up for Computerworld eNewsletters.