Is the CISO role too big for one person?

Has the role of CISO has become too big for one person to handle? According to Paul Groce, Global Head of CIO/Technology Operations for executive search firm CTPartners, it has – and he thinks it’s time for a change.

Groce gave CSO his thoughts on how the CISO role has evolved since the ‘90s, and why the complexities of the increasingly demanding position requires a new approach to address corporate security needs today.

Tell me a bit about your background and how you work with security professionals.

As head of CTPartners’ CIO functional practice, my job is to find the best candidates for critical positions in an organization’s IT team, including CSOs, CISOs and other top security roles.

Our focus for such roles is distributed across many industries with the financial services vertical areas some of the hottest. We also work with companies in consumer and retail, life sciences, pharmaceutical and manufacturing technology assignments at the VP and higher levels. Security concerns cut across all industries.

How have you seen the role of the CSO/CISO evolve in recent years?

As information security evolved, large organizations built out security functions to support various lines of business and geographies. As complexities increased, corporations began to create positions at the central enterprise level, typically under the CIO. The corporate/enterprise CISO began to emerge as an executive capable of leading in many areas: Security policy, audit, compliance and network and intrusion protection technology. Early CISOs were layered down in the organization as the role was viewed as a preventative and administrative function, not one strategically critical to the organization. The CISOs that existed did not think or operate as holistically as today.

Significant changes began to occur.  A broader recognition of disaster recovery threats came from the lessons of the 2001 terrorist attacks. IT risk began to enter the conversation for CIOs and for others, gaining recognition at a higher and more critical level. Many industries saw heightened requirements; HIPAA in the healthcare industry is one such example. Regulatory and compliance demands began to require higher levels of executive involvement, with CISOs beginning to partner with, and in some cases report jointly to, higher level enterprise risk and compliance executives while still “solid-line” reporting to the CIO. This drove a need for technically capable CISOs who also possessed strong business partnering skills. External to the CIO, AML and Anti-Fraud groups within financial services and retail companies matured under operations leaders.  

More recently, aggregation of IT risk responsibilities has occurred. Increasingly, there is a holistic approach to information security, governance, risk, HR (employee background checks), vendor management (vendor background checks), IT disaster recovery and even physical security. Few organizations have successfully aggregated multiple functions under a “Security Czar,” as the Head of Physical Security is not seen as fit to manage the CISO and the CISO is not seen as one to manage the Head of Physical Security. Neither one is typically viewed as capable of serving in an enterprise risk role, as this involves components of business risk as well. And with banking, AML and Anti-Fraud remain outside of the CISO/ IT Risk group.

[Sign up to receive CSO’s bi-monthly newsletter of career and leadership-oriented articles, events and job postings]

Matrix reporting structures involving risk, CIO, CISO and Physical Security attempt to tie all aspects of security together. Most organizations focus on partnering, not on formal aggregation of responsibilities. Committees are most commonly used to bridge the gaps and achieve the holistic focus on cooperation between the many functional leaders whose responsibilities combine to equate to “IT Risk.”   

What factors do you think have been most crucial in changes to the role?

As we well know, security is no longer an IT issue but a business issue, an enterprise issue and a universal corporate concern, and in recent years the aggregation of IT risk responsibilities has occurred. Increasingly, there is a holistic approach to information security, governance, risk, HR (employee background checks), vendor management (vendor background checks), IT disaster recovery and even physical security.

The widespread use of mobile devices like the iPad has impacted business and corporate environments more significantly that many would have predicted and technology, a function long dismissed by CEOs and boards, is suddenly a major topic of interest.

Board-level awareness of IT security has coincided with an explosion of high-profile incidents. The proliferation of data – and noted failures to properly secure it – has resulted in an increase in catastrophic events in the corporate world. These events became front-page news and almost overnight, senior leaders knew enough to know that their corporations were exposed. Almost overnight, IT security and IT risk were corporate priorities.

Where does the role stand now in terms of demands and complexity? You believe it should be a shared role, or divided further among more than one person now?

Some organizations have formally combined many responsibilities under a single senior level leader. The continuing increases in demands drive the question:  “Is this too complex for a single executive to manage?” Is disaggregation of responsibilities the next wave? In the words of one top IT Risk executive, “I can no longer do my job…it is too broad for me to manage what I managed a few years ago…the single solution for the future is a Co-Head management structure that is dependent upon cooperation and teamwork.”

The complexity of an aggregated IT risk executive role leaves most corporations a short list of options to consider. The structure of IT Risk depends upon the organization’s needs, but many corporations consider these options:

– Head of IT Risk Executive: One who possesses the full scope of responsibilities, but this combination is found in a very limited number of executives in the market.

– Co-leadership arrangement: This is the current approach of most firms because they recognize that the span of control has grown “too large to manage.” However, this defeats many CEOs’ intent of aggregating responsibilities.

– “Info Security Czar”: This approach allows a seasoned general manager or large-scale executive to assume the role. This may be a past CIO, COO or CRO who has managed large teams and interacted heavily with business leaders and is capable of serving as the de facto-chairman of an internal operating committee and driving the CEO’s security and IT risk agenda. While not the highly technical CISO expert, this leader will understand the broader issues so that he/she can govern the many groups who must collaborate and cooperate to succeed in the mission. I see more and more companies seriously considering the Co-Head structure.

How do you envision that would work?

Splitting the role means defining the specific priorities of high-powered, highly competent leaders who are probably not used to sharing responsibilities. Specifying the co-roles and matching them to the right individuals is difficult but essential. The co-leaders will be held accountable in their own areas and at the same time be responsible to work synergistically with their partner. Depending on the company, roles can be split by geography or by delineation of IT risk functions. However it is done, it takes strong, confident yet collaborative executives to pull it off.