Who's held responsible if company data is breached? According to Dark Reading, chief information security officers (CISOs) are a top pick — almost half of US CEOs and other C-suite execs say CISOs are accountable for IT security failures. But there's a problem, since only 38 percent believe CISOs should take charge of security strategy and purchasing decisions.
Bottom line? This executive role is among the most difficult in the organization, and there's no clear path to promotion. As Forrester notes in its "Evolve to Become the 2018 CISO or Face Extinction" report, building a better IT organizational structure may require a shift in thinking from "we" to "I."
According to Stuart Itkin, CMO at ThreatTrack Security, there's an imbalance in the current CISO role. "It comes with great responsibility," he says, "but they just forgot to give them the power." Esecurity Planet points out that only 25 percent of executives surveyed by ThreatTrack said CISOs helped improve day-to-day security, and the same number felt CISOs deserved a seat in the boardroom.
Despite the dim view these professionals take of the CISO role, 79 percent of C-suite members believe their board of directors should have "at least one member with a background in cybersecurity." In other words, expectations and reality don't match. Executives want CISOs with strong security skills, but they aren't willing to give them the power needed to effectively do their jobs — yet they still expect them to take the fall if data goes missing or servers are breached. It's no wonder, then, that companies aren't having much luck recruiting: They're not certain what it is they need, let alone how to find the ideal candidate.
Forrester's new study argues that the traditional career path for CISOs is dying. In part this is due to a consolidation of roles as CISOs are now expected to deal with information management, risk management, brand protection and third-party relationship management, in addition to handling traditional technology oversight. Specifically, the report predicts data governance will underpin CISO effectiveness, IT compliance will fall entirely under their jurisdiction and privacy will become a key focus for this position. What does this mean for the overall IT organizational structure? That it's time to toss traditional thinking. While "we"-focused processes have led to the emergence of devops teams and cloud computing collectives, "I"-driven thinking may be what's needed to empower the development of new CISO roles.
Put simply, the idea here is for interested security and risk (S&R) professionals to build the role they're looking to obtain. Instead of waiting for the C-suite to advertise new jobs and define IT roles, the lack of hard-and-fast CISO standardization offers the opportunity for IT professionals to step up and create their own paths to promotion. Think of it as giving executives what they don't know they need instead of what they think they want; if IT professionals can demonstrate what current CISOs see as necessary for the future of the position — i.e., leadership, strategic thinking and business knowledge — then it may be possible to build a security executive role that not only comes with great responsibility, but also with commensurate power and authority.
Right now CISOs are caught in the middle of a boardroom battle, with some execs convinced they're just glorified IT techs and others certain they need a seat at the table. S&R professionals with a clear sense of business needs — and the ability to tap their inner "I"-drive to create a CISO role worthy of the title — stand to benefit both themselves and the enterprise at large.
Time for a CISO sea change? Dive into the Forrester report here.
Photo Source: Flickr