(Note: This article originally appeared on LinkedIn Pulse. If you disagree with me, please visit the LinkedIn post to join the 70+ comments we’ve gotten so far. As a community we need the open discussion to advance our collective thinking. If you agree, please like, comment and/or share the post. It’s easy for those who disagree to close the browser tab and dismiss me as “just some crazy ex-government hacker guy,” but your “like” is a vote in favor of these ideas. Together, we can demand they be taken seriously and drive the conversation. Together we will not be dismissed.)
Several years ago, security leaders in many organizations were promoted from a mid-tier manager to the CISO. In the early org chart iterations, security was considered as “just one more job” of the IT department, so the manager who owns security took the CISO title but continued to report to the CIO.
As businesses learned security was more about overall business risk than simply a function of technology, the reporting chain for CISOs started to move outside the CIO’s organization and CISOs began reporting to the CEO, CFO or COO.
This evolution is still underway, but it will shift again soon: the CIO will report to the CISO.
CISOs are operationalizing their information security programs, transforming security from a checkbox product the CIO bought from a vendor into an operation that combines products, people and processes. Those operations are gaining discipline and rigor from a painful but effective feedback loop, thanks to constant testing by attackers. CISOs are discovering the IT basics such as network management, asset management and patching are critical to secure operations, but in many organizations they are poorly managed.
As WannaCry and Petya have acutely demonstrated, there were millions of machines both unpatched for weeks and with SMB open to the world. Patching is hard & open SMB is silly, but unpatched systems with open SMB is gross negligence – and this is just one recent and high-profile example. It is impossible to secure an enterprise network when the organization can’t handle the basic blocking and tackling of IT.
To secure their networks, enterprises must begin operationalizing their IT programs, growing discipline as strong as their security operations teams. As realization of this truth grows, we will see a shift: the CISO will own not just the security functions, but all the core infrastructure – networks, devices and operating systems. The CIO will own the business processes: the core value of IT making the business more efficient. The CISO owns the core infrastructure that makes the network run, the CIO owns the applications that run on that infrastructure and the business processes they support.
Today’s titles won’t make sense at that point. The position we call CISO today will be something more similar to the Chief Information Operations Officer, to reflect his duty to operationalizing both the IT and security programs, with the 24/7 operational rigor required to maintain security and availability. He’ll have something like three direct reports: the operations center, the enterprise applications team and a compliance team.
Of course, this organization looks much like the one we had ten years ago: the CIO and his team. Except now we recognize security and an operational culture are critical components to the CIO’s role, something that was not widely recognized before. Perhaps the simplest answer is we return to the original org chart, but with a more acute understanding of responsibilities. Today’s “CISOs” get promoted to “CIO” and we return to one “technology CxO” in the executive team.
However it shakes out, it will be fun to watch unfold – and our networks will continue to get more secure as a result.