Has the role of CISO has become too big for one person to handle? According to Paul Groce, Global Head of CIO\/Technology Operations for executive search firm CTPartners, it has \u2013 and he thinks it\u2019s time for a change.\tGroce gave CSO his thoughts on how the CISO role has evolved since the \u201890s, and why the complexities of the increasingly demanding position requires a new approach to address corporate security needs today.\tTell me a bit about your background and how you work with security professionals.\tAs head of CTPartners\u2019 CIO functional practice, my job is to find the best candidates for critical positions in an organization\u2019s IT team, including CSOs, CISOs and other top security roles.\tOur focus for such roles is distributed across many industries with the financial services vertical areas some of the hottest. We also work with companies in consumer and retail, life sciences, pharmaceutical and manufacturing technology assignments at the VP and higher levels. Security concerns cut across all industries.\tHow have you seen the role of the CSO\/CISO evolve in recent years?\tAs information security evolved, large organizations built out security functions to support various lines of business and geographies. As complexities increased, corporations began to create positions at the central enterprise level, typically under the CIO. The corporate\/enterprise CISO began to emerge as an executive capable of leading in many areas: Security policy, audit, compliance and network and intrusion protection technology. Early CISOs were layered down in the organization as the role was viewed as a preventative and administrative function, not one strategically critical to the organization. The CISOs that existed did not think or operate as holistically as today.\tSignificant changes began to occur. \u00a0A broader recognition of disaster recovery threats came from the lessons of the 2001 terrorist attacks. IT risk began to enter the conversation for CIOs and for others, gaining recognition at a higher and more critical level. Many industries saw heightened requirements; HIPAA in the healthcare industry is one such example. Regulatory and compliance demands began to require higher levels of executive involvement, with CISOs beginning to partner with, and in some cases report jointly to, higher level enterprise risk and compliance executives while still \u201csolid-line\u201d reporting to the CIO. This drove a need for technically capable CISOs who also possessed strong business partnering skills. External to the CIO, AML and Anti-Fraud groups within financial services and retail companies matured under operations leaders. \u00a0\tMore recently, aggregation of IT risk responsibilities has occurred. Increasingly, there is a holistic approach to information security, governance, risk, HR (employee background checks), vendor management (vendor background checks), IT disaster recovery and even physical security. Few organizations have successfully aggregated multiple functions under a \u201cSecurity Czar,\u201d as the Head of Physical Security is not seen as fit to manage the CISO and the CISO is not seen as one to manage the Head of Physical Security. Neither one is typically viewed as capable of serving in an enterprise risk role, as this involves components of business risk as well. And with banking, AML and Anti-Fraud remain outside of the CISO\/ IT Risk group.\t[Sign up to receive CSO's\u00a0bi-monthly\u00a0newsletter of career and leadership-oriented articles, events and job postings]\tMatrix reporting structures involving risk, CIO, CISO and Physical Security attempt to tie all aspects of security together. Most organizations focus on partnering, not on formal aggregation of responsibilities. Committees are most commonly used to bridge the gaps and achieve the holistic focus on cooperation between the many functional leaders whose responsibilities combine to equate to \u201cIT Risk.\u201d \u00a0\u00a0\tWhat factors do you think have been most crucial in changes to the role?\tAs we well know, security is no longer an IT issue but a business issue, an enterprise issue and a universal corporate concern, and in recent years the aggregation of IT risk responsibilities has occurred. Increasingly, there is a holistic approach to information security, governance, risk, HR (employee background checks), vendor management (vendor background checks), IT disaster recovery and even physical security.\tThe widespread use of mobile devices like the iPad has impacted business and corporate environments more significantly that many would have predicted and technology, a function long dismissed by CEOs and boards, is suddenly a major topic of interest.\tBoard-level awareness of IT security has coincided with an explosion of high-profile incidents. The proliferation of data \u2013 and noted failures to properly secure it \u2013 has resulted in an increase in catastrophic events in the corporate world. These events became front-page news and almost overnight, senior leaders knew enough to know that their corporations were exposed. Almost overnight, IT security and IT risk were corporate priorities.\tWhere does the role stand now in terms of demands and complexity? You believe it should be a shared role, or divided further among more than one person now?\tSome organizations have formally combined many responsibilities under a single senior level leader. The continuing increases in demands drive the question: \u00a0\u201cIs this too complex for a single executive to manage?\u201d Is disaggregation of responsibilities the next wave? In the words of one top IT Risk executive, \u201cI can no longer do my job\u2026it is too broad for me to manage what I managed a few years ago\u2026the single solution for the future is a Co-Head management structure that is dependent upon cooperation and teamwork.\u201d\tThe complexity of an aggregated IT risk executive role leaves most corporations a short list of options to consider. The structure of IT Risk depends upon the organization\u2019s needs, but many corporations consider these options:\t- Head of IT Risk Executive: One who possesses the full scope of responsibilities, but this combination is found in a very limited number of executives in the market.\t- Co-leadership arrangement: This is the current approach of most firms because they recognize that the span of control has grown \u201ctoo large to manage.\u201d However, this defeats many CEOs\u2019 intent of aggregating responsibilities.\t- \u201cInfo Security Czar\u201d: This approach allows a seasoned general manager or large-scale executive to assume the role. This may be a past CIO, COO or CRO who has managed large teams and interacted heavily with business leaders and is capable of serving as the de facto-chairman of an internal operating committee and driving the CEO\u2019s security and IT risk agenda. While not the highly technical CISO expert, this leader will understand the broader issues so that he\/she can govern the many groups who must collaborate and cooperate to succeed in the mission. I see more and more companies seriously considering the Co-Head structure.\tHow do you envision that would work?\tSplitting the role means defining the specific priorities of high-powered, highly competent leaders who are probably not used to sharing responsibilities. Specifying the co-roles and matching them to the right individuals is difficult but essential. The co-leaders will be held accountable in their own areas and at the same time be responsible to work synergistically with their partner. Depending on the company, roles can be split by geography or by delineation of IT risk functions. However it is done, it takes strong, confident yet collaborative executives to pull it off.