Changes Coming To The CISO Position

It’s that time of year when industry experts of all types look into their crystal balls and make bold predictions for what’s coming in 2012. As far as security goes, lots of these predictions will center on threats (i.e. new attacks patterns, malicious code, etc.) and defenses (i.e. security technologies, services, etc.). Allow me to make offer a trend that has nothing to do with either area. I talk to lots of Chief Information Security Officers (CISO) as part of my job and I can tell you without hesitation that they are completely overwhelmed. In fact, I look at the responsibilities of a Fortune 500 CISO, and I don’t think that this role is sustainable. Why? As security threats and risk management becomes a boardroom-level concern, CISOs are being pulled in two opposing directions:1. Manage risks associated with new types of technology-based business processes. This can be industry-specific or some horizontal activity like supply chain integration, business process outsourcing, or business intelligence. CISOs must understand these business processes and their associated security/compliance risks.2. Secure and increasingly complex and highly mobile IT infrastructure. In the past few years large organizations have introduced SOA applications, server virtualization, and mobile devices to their IT portfolio. If they haven’t done so already, they will pile on IPv6, cloud computing, and pervasive data analytics in the near future. CISOs have to have strong knowledge of the threats and vulnerabilities created by these new technologies and what types of layered security defenses are needed to address them. So on the one hand CISOs need deep industry, business process, regulatory compliance, and legal knowledge while on the other they need detailed technical and security expertise up and down the entire technology stack. As my friends in the South might say, “that dog don’t hunt.”Starting in 2012, I think we will see a natural bifurcation of the CISO function into two roles:• Chief Security Officer (CSO). This role will be similar to a Chief Risk Officer but focused on the intersection of risk management and IT-based business processes. CSOs will also be the IT security interface for the compliance, legal, public relations, and physical security teams. • Chief Information Security Technology Officer (CISTO). This role is similar to a Chief Technology Officer. The CISTO doesn’t have to have “business chops” per se, but rather know the IT and security architecture and infrastructure inside and out. The CSO’s role is to look from the IT department out to the business in order to understand security risks and requirements: Who needs IT assets? Which assets? For what reasons? What are the corporate governance, legal, and privacy risks and requirements? The CISTO’s role is to look from business operations into IT to build the appropriate security architecture and individual controls to manage, monitor, and report of security effectiveness. Thought of another way, CSOs create cybersecurity policies, CISTOs enforce cybersecurity policies. While each of these individuals will need some knowledge of the other’s domain, there will be specialization and different career paths for each. CSOs will likely focus on a particular industry to develop expertise on regulations, business processes, specific threats, etc. CISTOs will be more a horizontal function. As this transition occurs, Universities will develop specialized programs for each type of executive. CSOs will come from business schools but their academic requirements will also cover law enforcement, International studies, public relations, industry-specific business operations, etc. CISTOs will come from top technical schools that develop precise programs around IT and security technology.What do you think? Have you seen examples of these kinds of roles? I plan to do a lot of research on security roles and organizations in 2012 so your comments and feedback are welcome.