CISO – Chief Information Security Officer: A challenging and ever growing job!
A couple of decades ago, nobody was responsible full time for managing the cyber-protection of a company… At that time, such protection would be ensured in best effort by the local most “geek” guy, at least able to install, run and monitor an antivirus software!
Still, those days were fun, most SPAMs were nothing more than Apr 1st jokes, aiming at bothering IT system admins.
Just for fun.
Later on, with the evolution of the World Wide Web and the growing IT consumerization, the threats increased, and malware campaigns started to impact not only a couple of systems but indeed a whole datacenter or a machine room.
At that time, CTOs (Chief Technology Officers), usually reporting to the CIO (Chief Information Officer) were often assigned cybersecurity responsibilities. Obviously, at that time, most companies were convinced that CyberSecurity was a technical matter and that there was no need for a full time job and specific set of skills.
Still, the constant but rapid evolution of hacking Tools, Techniques and Procedures (so-called “TTPs”), along with the emergence of Denial of Service (DoS) and Advanced Persistent Threats (APTs), along with other new ways of hacking, started to impact an entire company or at least many of its key businesses. Many companies were discovering the threats far too late… CIOs started to look for less technical but more senior CyberSecurity Executives, able to communicate with other C-Level Execs, to convince users and communicate appropriately, but still experts in CyberSecurity topics and independent from technical IT management teams. The goal was also clearly to avoid CyberSecurity governance based solely on its impact on technical performance, available skills, and agility of the technical teams.
Still, the difficulty arose to assign and even sanctify a proper CyberSec budget, instead of simply allocating the left unused (and usually meaningless) IT budget to it. To avoid the battles between CTOs and CISOs and their teams, most of the time, CTOs would keep CyberSec Operations, at least to avoid splitting operational tasks – and of course to avoid operational impacts of such misalignments.
After that, more mature organizations started to split CyberSecurity Operations from Infrastructure and Applications teams, to ensure an end-to-end management of CyberSecurity features and topics within the CyberSecurity team, as the cyber-protection of an Information System kept evolving and getting even more complex along with time.
Later on, CISOs started to report above CIO positions, most of the time without responsibility over CyberSec Operations. In some cases, CISOs would then report to a business critical VP, but also sometimes to a CEO, and in most mature organizations to a Chief Security Officer, himself usually reporting to the CEO.
Chief Data Officer and Data Privacy Officer roles were also created, to ensure both a proper use of the data throughout the Company, but also the protection of personal data within such processes and of course the compliance to applicable regulations (which started to develop in a specific way in each region, eg: HIPAA in the USA, GDPR in Europe, China CyberSecurity Law in China, etc.).
In even the most mature organizations, CISOs are also in charge of OT (in addition to IT), be it industrial digital equipment protection or even electronic embedded Products protection against cyber-threats. Indeed, in several companies, hacking into IT systems can lead to a compromise of industrial systems which, in turn, may lead to a compromise of commercialized Products. And boundaries keep blurring.
Finally, today, CISO job descriptions vary a lot from one company to another, making it hard for individuals to compare their job, share return on experience, and learn to deliver more added value to their Companies (except for CIX-A members of course!). But that’s also the interest of such job, which is at the intersection of users (internal customers ^^ ), technical teams – typically both Applications and Infrastructure Depts, Legal, Purchasing, HR, Finance and of course Execs.
According to my last survey , and at the time of this article, today most CISOs still report to CIOs (41%), but as much as CISOs reporting above CIOs (32%), typically to the CEO or a CSO reporting to him/her. CISOs reporting to a peer of CIO who is *not* an ExComm member are clearly behind (20%), but far above CISOs reporting to a CTO or another CIO direct report (7%) – which, at least, is good news!
Obviously, it is quite hard to predict the future of the CISO job position. I still hope that CISOs will gather with other Security roles into a governance body in charge of protecting People, Premises and Data (either physical or digital). Of course, the higher the CISO reports, the more he/she is confronted to various business stakes, which means the more he/she may act as a real business enabler (you would never expect that from a technical geek, right?!).
However, the diversity of IT governance, strategies, various software and hardware, IT urbanization, delivery models and projects, will always reflect itself into the various CISO job descriptions.
That’s the beauty of such a diverse and ever-changing job!