There's a new CISO in town, and that person is now bridging the gap between technology and risk. Toward that end, many CSOs and CISOs are starting to report to the chief risk officer rather than the CIO.
The shift has not been without some controversy, with the main objection being that no matter how they spin it, technology is still at the heart of the job. So what are the pros and cons of this change?
"It's as much a shift in mindset and language as organizational reporting," said Steven Grossman, vice president of strategy and enablement at Bay Dynamics. The evolution of the CISO came from the guy managing firewalls, then it was a position that was for managing security, protecting system information as a critical part of business.
"The role sat in IT because that’s where it all came from. Then came the CIO role, which evolved to an executive role critical to the business," Grossman said.
As technology has evolved, so too has the role of the CISO. "Security is tech centered, but it’s really a risk management problem that requires a risk-based approach and a risk-based language," Grossman said.
Traditionally, security has been a binary way of thinking, said Grossman. "It's been that you’re either secure or not secure, but that is not achievable. Security parallels how we think about risk. It's fire proof buildings versus fire resistant buildings with layers of sprinklers, alarms, fire drills."
James Christiansen, vice president of information risk management and a member of the Office of the CSO for Optiv, said of the shift to the CISO role, "In its essence, it’s no longer about security. It’s about protecting the information wherever it flows. Where is that information, regardless of whether it's inside or outside my IT in physical or information format."
With the CISO reporting to the CRO, security becomes more in line with the goals of the business because, at its core, security is an executive level business problem. "Five years ago that never would have been a part of the conversation, but now the more successful CSOs are doing this," Christiansen said.
Steven Grossman, vice president of strategy and enablement at Bay Dynamics
Yes, the changes to the role do bring the CISO away from the deep trenches of technology and into a different realm where soft skills are needed. "I need to understand the business goals. I am speaking to them in terms that they are going to understand," said Christiansen.
[ MORE ON CSO: How to survive in the CISO hot-seat ]
In many ways, the new CISO is the bridge in communication between the technology and business executives, who often speak different languages. Having a CISO with the technical background who is able to translate technology into risk allows for the CRO to have a more effective impact on the perceptions of the board.
Why controversy over the shift?
That all sounds nice and very kumbaya-like, so why then has there been some controversy over the shift?
"The reality is that from an execution point of view, security is about technical execution," said Grossman. "When it all gets boiled down, at the heart of it is technology. Separating it can potentially create conflicting goals between risk/infosec and technology."
But, if it’s done properly and everyone is playing nicely in the sandbox, it should work. Grossman said, "The goal is to manage security in a more effective way. It’s all about everybody marching to the same drummer. Bringing together all the silos in the business so that there are no silos. Everyone has the same common goals and metrics of what the business is trying to achieve."
Changing the hard wiring of people, though, can be a formidable challenge. "Shifting people with risk mindsets to info sec is a lot easier than shifting those with technology to a risk mindset," Grossman said.
Still, the hardest thing to overcome overall is human behavior. "No matter what you do from technological point of view, companies make it hard for users to do things, but the secure way is the technical way," said Grossman.
Christiansen said that the CRO is going to have broader responsibilities. "Now it's not just worrying about the physical but the information risk. Because of those fundamental differences in their roles, it makes for a fundamental clash."
When reporting to the CIO, there were more peer level conversations."If the CISO is no longer reporting to them, they start excluding them. The CISO might not be invited to meetings where they are talking about strategy," said Christiansen.
As a result, making sure they stay engaged in IT could be a challenge for the new CISO. If the shift will result in the CISO having less hands-on understanding of the technology, why is the shift happening?
Todd Fitzgerald, CISO at Grant Thornton said, "I think it’s happening because boards are starting to understand that security is another risk to an organization. It's not really just an IT issue. The impact that cybersecurity incidents can have on the organization has put it in the same class as other risks to the organization because it can be just as damaging."
Certainly, when they move security away from the CIO, the CISO is not as aware of the IT initiatives that are going on, and that’s one down side that everyone needs to be mindful of. The CIO shouldn't make the CISO feel that they're not on that team anymore, even though in many ways they are now getting information from an external view.
"The advantages, though, are that when under the CIO, the money allocated for security becomes part of the CIO's pot. When other projects need more funding or resources to get things done, the money is pulled from security," Fitzgerald said.
Additionally, CISOs reporting to the CIO minimize external visibility and checks and balances. "Security officers report to the CIO, the CIO says we need to shift money, so they can end up with more of a conflict of interest in that relationship," Fitzgerald said.
Many of the arguments against the shift come down to an organization's maturity. "The other reason you still see organizations reporting into the CIO is that they are working on foundational security issues that require a heavy IT focus. Until they get to a certain maturity level, they aren’t making that shift," Fitzgerald said.
One advantage, though, is that CISOs gain some clout with senior management. "There’s a pathway that typically isn’t there with the CIO who has been fighting to get that seat at the table for years," said Fitzgerald.
Reporting outside of the CIO puts the CISO and the CIO on equal footing with each other and things get more visibility that way. "With the risk officer you have an automatic advocate around risk which moves the conversation outside of compliance and checking boxes," said Fitzgerald.
The shift is intended to bridge the gap between technology and the business. By reporting to the CRO, the CISO becomes a key player in broadening the conversation. By understanding how to communicate in the language of risk, security becomes a more paramount concern for the business, which will hopefully prove to protect critical assets.