CISO trends: gaining power or losing positions?

Two interesting trends are happening in the enterprise re. CISO’s:  some companies are further empowering this somewhat new role with expansive powers and responsibilities that range from incident response to IT compliance lead to customer data privacy. Meanwhile other companies are eliminating the role altogether. Liberty Mutual is the latest Fortune 500 company to do so when the highly talented and effective Scott Blake left.

Of course, I’m sure the company has its reasons and I don’t question them … but I am left puzzled over the decision.  I might understand the move in a Technology vendor where the CSO/CIO combination subsumes the typical CISO role; however, in a large insurance company with distributed IT and software development teams I am surprised that a role dedicated to information security and data protection is viewed as expendable. With so many companies reporting financial losses as a result of external and internal attacks on their systems over the past few years, the role of CISO has become increasingly prevalent and important in the enterprise. 55 percent of companies responding to a recent study by IDG and PWC report that they now employ a CISO, up from 31 percent 2 years prior. And with more and more companies seeing the business value of the CISO, many organizations have them roll up to the CFO and not the CIO or CSO. About half off all companies rely on either the CIO or CSO to handle a CISO’s duties, but neither of these roles is truly designed to tackle the broad array of information security challenges in my opinion. CIOs are usually technologists who facilitate business processes with technology implementations – their role is one of “positive” use cases. But security can slow down project implementation and software development, frustrating end users and causing tension between the CIO’s office and the office of the CISO. The CISO is often placed in the role of “negative” use case owner, thinking up ways where the organization’s information could be tampered with or stolen. Often these two groups have competing or conflicting interests, so some organizations don’t have one or the other (usually the CISO role gets the short stick).  The trend of having CISO’s (and even CSO’s) report to the chief financial officer (CFO) rather than the CIO is one method of keeping a check and balance in place. I wonder if the CISO role is going to be one that, in time, is viewed as nothing more than a whistle-blower and as such phased out of organizations. This would be a shame, imo, since I think the CISO should be given more responsibility, not less. CISO’s usually have the make up where they view IT infrastructure and components are liabilities instead of assets, and this gives them the freedom to present business protection measures to the board.   

Maybe I am naive in thinking that the role of CISO should gaining relevance and importance in the enterprise.  Maybe the companies that have eliminated the position know something I don’t. I certainly assume they know what’s best for their business and have made the decisions they need to support this. Meanwhile, I am very curious to see how things pan out in the future.

I’d love to hear what readers think of these trends. Please share with me your thoughts and stories around the role of CISO.