Is it Time for Two CISOs at Large Organizations?

I was able to get out of snowy Boston this week to give a presentation on enterprise security to a Federal IT audience in Washington D.C. As usual, I stated my opinion that enterprises are in the midst of a profound transformation with how they address cybersecurity risk. This change will require a new strategy around security technology AND a new type of leadership from CISOs.

What type of leadership? Well, CISOs at large organizations need visibility in the boardroom and thus possess the ability to communicate cyber risk to non-technical executives and help craft cybersecurity strategies that truly align business and IT priorities.

This led to a discussion on CISO skills in general. Some audience members complained that federal CISOs had no such skills or power, and that this position was mostly technical in nature. Others stated that they thought it might be extremely difficult to find a single individual with the right mix of business, leadership, and technical skills to take on the growing number of responsibilities of the emerging CISO role.

This actually brought me back to an idea I had several years ago. Given the expanding CISO role, enterprises should really consider splitting this position in two by creating two senior management positions:

• Chief Security Officer (CSO). This role will be similar to a Chief Risk Officer but focused on the intersection of risk management and IT-based business processes. CSOs will also be the IT security interface for the compliance, legal, public relations, and physical security teams.
• Chief Information Security Technology Officer (CISTO). This role is similar to a Chief Technology Officer. The CISTO doesn’t have to have “business chops” per se, but rather know the IT and security architecture and infrastructure inside and out.

The CSO’s role is to look from the IT department out to the business in order to understand security risks and requirements: Who needs IT assets? Which assets? For what reasons? What are the corporate governance, legal, and privacy risks and requirements?

The CISTO’s role is to look from business operations into IT to build the appropriate security architecture and individual controls to manage, monitor, and report of security effectiveness.

Thought of another way, CSOs create cybersecurity policies, CISTOs enforce cybersecurity policies. Additionally, CISTOs capture technical metrics to assess how well the organization is meeting its cybersecurity objectives. CSOs then translate these technical metrics into business metrics and then share them with corporate executives and boards. 

While each of these individuals will need some knowledge of the other’s domain, there will be specialization and different career paths for each. CSOs will likely focus on a particular industry to develop expertise on regulations, business processes, specific threats, etc. CISTOs will be more a horizontal function.

As this transition occurs, universities will develop specialized programs for each type of executive. CSOs will come from business schools but their academic requirements will also cover law enforcement, international studies, public relations, industry-specific business operations, etc. CISTOs will come from top technical schools that develop precise programs around IT and security technology.

I actually wrote a lot of the text in this blog several years ago, and while I’ve never cut-and-pasted an old blog into a new one before, I’m doing so this time for good reason. The CISO job is becoming more and more difficult and many large organizations can’t find the right person to fulfill this position. This won’t change anytime soon since there are few candidates with the business and technical chops for this type of role. 

Given the need for board-level cybersecurity involvement, it makes more sense than ever to carve the CISO job in two. I believed this was the right thing to do with my original blog in 2011, and I am even more convinced of this four years later.