This is a contributed piece by J.J. Guy, senior director of cloud engineering at Carbon Black
In recent times many security leaders in organisations were promoted from a mid-tier manager to the CISO. Security was considered as “just one more job” of the IT department, so the manager who owned security took the CISO title but continued to report to the more senior CIO.
As businesses learned security was more about overall business risk than simply a function of technology, the reporting chain for CISOs started to move outside the CIO’s organisation and CISOs began reporting to the CEO, CFO or COO.
It was a mistake when CIOs created the CISO role and then moved it out of their organisation. Collectively, CIOs missed an opportunity to take responsibility for security when the CISO role was created. If CIOs had taken ownership of security and evolved their organisations, there would have been no need to distinguish them from CISOs, let alone create two separate organisations: one for IT and one for security.
This evolution is still underway but we will soon see another shift: the CIO will increasingly report to the CISO.
CISOs are operationalising their information security programmes, transforming security from a checkbox product the CIO bought from a vendor into an operation that combines products, people and processes. Those operations are gaining discipline and rigor from a painful but effective feedback loop, thanks to constant testing by attackers. CISOs are discovering the IT basics such as network management, asset management and patching are critical to secure operations, but in many organisations they are poorly managed.