...from geek to business speak...
Dennis Fisher has nice writeup over at the SearchSecurity Security Bytes Blog about the changing role and reporting structure of the CISO.
Specifically, Dennis notes that he was surprised by the number of CISOs who recently told him that they no longer report to the CIO and aren't a part of IT at all. Moreover, these same CISOs noted that the skillset and focus is also changing from a technical to a business role:
In the last few months I’ve been hearing more and more from CEOs, CIOs and CSOs about the changing role of the CSO (or CISO, depending on your org chart) in the enterprise. In the past, the CSO has nearly always been a technically minded person who has risen through the IT ranks and then made the jump to the executive ranks. That lineage sometimes got in the way when it came time to deal with other upper managers who typically had little or no technical knowledge and weren’t interested in the minutiae of authentication schemes, NAC and unified threat management. They simply wanted things to work and to avoid seeing the company’s name in the papers for a security breach.
But that seems to be changing rather rapidly. Last month I was on a panel in Chicago with Howard Schmidt, Lloyd Hession, the CSO of BT Radianz, and Bill Santille, CIO of Uline, and the conversation quickly turned to the ways in which the increased focus on risk management in enterprises has forced CSOs to adapt and expand their skill sets. A knowledge of IDS, firewalls and PKI is not nearly enough these days, and in some cases is not even required to be a CSO. One member of the audience said that the CSO position in his company is rotated regularly among senior managers, most of whom have no technical background and are supported by a senior IT staff member who serves as CISO. The CSO slot is seen as a necessary stop on the management circuit, in other words. Several other CSOs in the audience said that they no longer report to the CIO and are not even part of the IT organization. Instead, they report to the CFO, the chief legal counsel, or in one case, the ethics officer.
I've talked about the fact that "security" should be a business function and not a technical one and quite frankly what Dennis is hearing has been a trend on the uptick for the last 3-4 years as "information security" becomes less relevant and managing risk becomes the focus. To wit:
The number of organizations making this kind of change surprised me at the time. But, in thinking more about it, it makes a lot of sense, given that the daily technical security tasks are handled by people well below the CSO’s office. And many of the CSOs I know say they spend most of their time these days dealing with policy issues such as regulatory compliance. Patrick Conte, the CEO of software maker Agiliance, which put on the panel, told me that these comments fit with what he was hearing from his customers, as well. Some of this shift is clearly attributable to the changing priorities inside these enterprises. But some of it also is a result of the maturation of the security industry as a whole, which has translated into less of a focus on technology and more attention being paid to policies, procedures and other non-technical matters.
How this plays out in the coming months and years will be quite interesting. My guess is that as security continues to be absorbed into the larger IT and operations functions, the CSO’s job will continue to morph into more of a business role.
I still maintain that "compliance" is nothing more than a gap-filler. As I said here, we have compliance as an industry [and measurement] today because we manage technology threats and vulnerabilities and don't manage risk. Compliance is actually nothing more than a way of forcing transparency and plugging a gap between the two. For most, it's the best they've got.
Once organizationally we've got our act together, compliance will become the floor, not the ceiling and we'll really start to see the "...maturation of the security industry as a whole."
/Hoff