There's a new CISO in town, and that person is now bridging the gap between technology and risk. Toward that end, many CSOs and CISOs are starting to report to the chief risk officer rather than the CIO.
The shift has not been without some controversy, with the main objection being that no matter how they spin it, technology is still at the heart of the job. So what are the pros and cons of this change?
"It's as much a shift in mindset and language as organizational reporting," said Steven Grossman, vice president of strategy and enablement at Bay Dynamics. The evolution of the CISO came from the guy managing firewalls, then it was a position that was for managing security, protecting system information as a critical part of business.
"The role sat in IT because that’s where it all came from. Then came the CIO role, which evolved to an executive role critical to the business," Grossman said.
As technology has evolved, so too has the role of the CISO. "Security is tech centered, but it’s really a risk management problem that requires a risk-based approach and a risk-based language," Grossman said.
Traditionally, security has been a binary way of thinking, said Grossman. "It's been that you’re either secure or not secure, but that is not achievable. Security parallels how we think about risk. It's fire proof buildings versus fire resistant buildings with layers of sprinklers, alarms, fire drills."
James Christiansen, vice president of information risk management and a member of the Office of the CSO for Optiv, said of the shift to the CISO role, "In its essence, it’s no longer about security. It’s about protecting the information wherever it flows. Where is that information, regardless of whether it's inside or outside my IT in physical or information format."
With the CISO reporting to the CRO, security becomes more in line with the goals of the business because, at its core, security is an executive level business problem. "Five years ago that never would have been a part of the conversation, but now the more successful CSOs are doing this," Christiansen said.
The goal is to manage security in a more effective way. It’s all about everybody marching to the same drummer. Bringing together all the silos in the business so that there are no silos.
Steven Grossman, vice president of strategy and enablement at Bay Dynamics
Yes, the changes to the role do bring the CISO away from the deep trenches of technology and into a different realm where soft skills are needed. "I need to understand the business goals. I am speaking to them in terms that they are going to understand," said Christiansen.
Sign up for CIO Asia eNewsletters.